AniNIX/Kapisi
AniNIX
/
Kapisi
2
0
Fork 0
Code Issues 25 Pull Requests 1 Projects 1 Releases Wiki Activity

Compare commits

base: AniNIX:0.0
Branches Tags
AniNIX:main
AniNIX:improved-ipam
AniNIX:25u
AniNIX:hypervisor-migration
AniNIX:nginx-conversion
AniNIX:0.0
...
compare: AniNIX:main
Branches Tags
AniNIX:improved-ipam
AniNIX:25u
AniNIX:hypervisor-migration
AniNIX:nginx-conversion
AniNIX:main
AniNIX:0.0

53 Commits
0.0 ... main

Author SHA1 Message Date
DarkFeather 69e2bcc966
Evolution of deployment 2023-11-30 02:47:16 -06:00
DarkFeather 8392a3fe46
Hooks catch-up 2023-11-30 02:44:01 -06:00
DarkFeather 63a43c6f0e
Fixing PKGBUILD dependencies 2023-11-16 12:59:49 -06:00
DarkFeather 444b8171f5
Adding packaging 2023-10-20 19:08:32 -05:00
DarkFeather ea75da1b41
catchup 2023-10-08 12:28:14 -05:00
DarkFeather 5ab88dc387
Updating some SSH config 2023-07-19 15:41:27 -05:00
DarkFeather 60f848b55d
Extending check interval for warrant canary checks 2023-05-30 16:03:22 -05:00
DarkFeather 75bf57c131
Adding checks on AniNIX/Grimoire to Core 2023-05-30 15:51:36 -05:00
DarkFeather 921e45afda
pacman hook was using wrong user 2023-05-05 05:16:48 -05:00
DarkFeather 633f231b26
Catching up config with known state 2023-05-02 17:32:11 -05:00
DarkFeather be2908625d
Adding org-wide packaging config to AniNIX/Maat 2023-05-01 22:01:30 -05:00
DarkFeather 49b67de7ec
Removing large amounts of extra commenting and old/unused features; SASL support 2023-04-18 23:56:59 -05:00
DarkFeather e9fde0d8c9
Removing storefront from /martialarts; decomming stagnant copy of our RSS feed 2023-04-07 20:14:26 -05:00
DarkFeather 6a4aabee01
OpenVPN now manages the tunnel device -- DarkNet does not need bridge/tap config 2023-03-29 23:31:04 -05:00
DarkFeather 5fef78f60e
Catching up IRC -- MOTD colors; servicefile; logging; config 2023-03-22 17:44:57 -05:00
DarkFeather 2f93e03f3a
Zeek currently fails to build and burns too many system resources -- dropping. 2023-02-27 23:45:58 -06:00
DarkFeather 638b4e8c6e
Seeding Maat role 2023-02-22 22:33:58 -06:00
DarkFeather 956b00a06e
Syncing scripts and hooks 2023-02-22 21:54:52 -06:00
DarkFeather d92ab6acda
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00
DarkFeather a2fecf9d64
Adding DHParam generation for IRC ssl_openssl 2023-01-20 08:49:56 -06:00
DarkFeather bef53d5889
Placing mediawiki package on hold 2022-12-23 11:28:29 -06:00
DarkFeather 99b7b9026c
Removing IRC-Bots as a separate role -- folding into IRC role as part of the service 2022-12-18 22:25:40 -06:00
DarkFeather c589f5ac55
Updating DarkNet VPN setup 2022-12-18 22:24:44 -06:00
DarkFeather 36d0be5f88
Infrastructure cleanup 2022-12-18 22:23:17 -06:00
DarkFeather 890e20c64c
Catching up Webserver config 2022-12-18 22:21:39 -06:00
DarkFeather 72a62b63eb
Seeding IRC automation after a lot of work 2022-12-18 22:18:43 -06:00
DarkFeather 0626c66413
Removing large files; adding hook to watch for them 2022-12-18 22:14:25 -06:00
DarkFeather a34c96df6b
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00
DarkFeather a43cb4b6bb
Updates to fix certbot.service issues reloading 2022-10-01 23:54:40 -05:00
DarkFeather 12d2ca9a1d
Updating WebServer deployment 2022-09-15 14:23:34 -05:00
DarkFeather 81b9a0a190
Logic update in tmux-hosts 2022-09-15 13:16:39 -05:00
DarkFeather b7d26b6aa7
Updating Foundation role 2022-09-15 13:16:08 -05:00
DarkFeather 94f546a7be
Starting Foundation automation 2022-07-02 10:24:10 -05:00
DarkFeather 59b54619f7
Catching up Sharingan, Geth, and ShadowArch roles 2022-05-25 14:50:16 -05:00
DarkFeather 8b2b0be95b
Ensuring we go through local networking for our VIPs 2022-05-23 21:30:24 -05:00
DarkFeather 9758b23193
Current state; https://archlinux.org/news/qemu-700-changes-split-package-setup/ 2022-05-11 17:20:57 -05:00
DarkFeather 51e2836378
Updating Sharingan for testing 2022-05-04 10:30:23 -05:00
DarkFeather 01dde4008d
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00
DarkFeather d0146770a4
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00
DarkFeather 1c2f4266ad
Adding Nazara README.md 2022-04-29 11:15:20 -05:00
DarkFeather d1140cf78b
Catching up with current dev 2022-04-19 12:01:03 -05:00
DarkFeather a881363b9b
Fixing Nazara errors 2022-03-25 06:08:12 -05:00
DarkFeather 5d04f1b393
Updating Geth-Hub role for config options; moving sources.list to ShadowArch control with pacman.conf 2022-01-29 23:41:46 -06:00
DarkFeather 921d53c724
Catching up with current successes 2022-01-25 23:54:43 -06:00
DarkFeather 94a4736839
Syncing current state. 2021-12-19 21:32:19 -06:00
DarkFeather eb39acaa06
Adding a role for TheRaven 2021-11-21 04:53:42 -06:00
DarkFeather 8f85acce78
Seeding the Cyberbrain role 2021-11-09 16:01:39 -06:00
DarkFeather 87775fe636
Updates for structure 2021-03-16 03:09:19 -05:00
DarkFeather 68ef34c3c6
Adding some SSL support scripts 2021-01-01 12:45:34 -06:00
DarkFeather 17a9e9ef7d
Group controls, hostkey protection, and typo correction in SSH 2020-12-25 05:40:57 -06:00
DarkFeather 432cc36ef8
Updating DarkNet role 2020-11-02 16:15:47 -06:00
DarkFeather ffbd7b7bd8
Adding better syslog 2020-10-18 23:49:25 -05:00
DarkFeather e12c8ff0c6
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
278 changed files with 21397 additions and 2 deletions
Show Stats Expand all files Collapse all files

14
.gitignore vendored
View File

@ -1,3 +1,17 @@
# Generated files
roles/Node/files/*-vm.service
roles/Nazara/files/dns
roles/Nazara/files/dhcp
roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist
roles/Sharingan/files/monit/checks/availability
roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**
**/src/**
**pkg.tar.zst
wiki/**
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/

31
Makefile Normal file
View File

@ -0,0 +1,31 @@
pkgdirname != basename `git config remote.origin.url` | sed 's/.git$$//'
optlist = bin examples playbooks roles
compile:
@echo Nothing to do
install: clean compile
mkdir -p ${pkgdir}/opt/aninix/${pkgdirname}/
for opt in ${optlist}; do cp -pr $$opt ${pkgdir}/opt/aninix/${pkgdirname}/${opt}; done
make checkperm
clean:
git clean -fdX
uninstall:
rm -Rf ${pkgdir}/opt/aninix/${pkgdirname}/
test: compile
#python3 -m pytest
checkperm:
chown -R root: ${pkgdir}/opt/aninix/${pkgdirname}/
chmod 0755 ${pkgdir}/opt/aninix/${pkgdirname}/
chmod -R a+r ${pkgdir}/opt/aninix/${pkgdirname}/
diff:
@echo Nothing to do.
for opt in ${optlist}; do diff -r ${pkgdir}/opt/aninix/${pkgdirname}/${opt} $$opt; done
reverse:
for opt in ${optlist}; do rsync -avzlp ${pkgdir}/opt/aninix/${pkgdirname}/${opt}/ $$opt; done

46
PKGBUILD Normal file
View File

@ -0,0 +1,46 @@
pkgname="$(git config remote.origin.url | rev | cut -f 1 -d '/' | rev | sed 's/.git$//')"
pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
pkgrel=1
pkgrel() {
git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit
}
epoch=
pkgdesc="$(head -n 1 README.md)"
arch=("x86_64")
url="https://aninix.net/foundation/${pkgname}"
license=('custom')
groups=()
depends=('bash>=4.4' 'python>=3.11' 'ansible>=8.3' 'tmux' 'openssh')
makedepends=('make>=4.2')
checkdepends=()
optdepends=()
provides=("${pkgname}")
conflicts=()
replaces=("${pkgname,,}" "aninix-${pkgname,,}")
backup=()
options=()
install=
changelog=
source=()
noextract=()
md5sums=()
validpgpkeys=()
prepare() {
git pull
}
build() {
make -C ..
}
check() {
chmod -R u+r ../pkg
make -C .. test
}
package() {
export pkgdir="${pkgdir}"
make -C .. install
install -D -m644 ../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}

44
README.md
View File

@ -1,3 +1,43 @@
# Tenebrous
This project will discover and provide inventory intelligence to Sora, Shadowfeed, Geth, and Sharingan.
This project will discover and provide inventory intelligence to Sora, Shadowfeed, Geth, and Sharingan. It is named after the fictional Tenebrous from the SWTOR game.
*Note*: This project is in progress -- former Makefiles from [ConfigPackages](/AniNIX/ConfigPackages) are being upgraded into Ansible playbooks here.
# Etymology
It is named after the fictional Star Wars Imperial Intelligence organization that oversaw the various divisions of Intelligence and orchestrated their operations. Like its namesake, this project oversees the various tools within our ecosystem and enforces compliance with standards.
# Relevant Files and Software
This project expects that you use an Ansible vault for credentials. Create one and add this to your `.bashrc`.
```
export ANSIBLE_VAULT_PASSWORD_FILE=$HOME/password-store/${organization}.vault.password
export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault
```
Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own.
Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/).
Then, use the SSH key playbook to copy your key and the deploy playbook to set things up.
```
ansible-playbook -i your-inventory.yml playbooks/sshkey.yml
ansible-playbook -i your-inventory.yml playbooks/deploy.yml
```
We've also added two scripts in `./bin` to make your life easier:
* `full-deploy`: This is the general role. If you are creating an AniNIX replica, once you have your inventory and vault populated, then you can run this script to push everything. This is also optimal when rotating vault secrets or other global tasks. This is effectively standardizing invocation of our overall deployment playbook.
* `deploy-role`: When you are updating a specific role, use this script to push that role to your group. Ideally, this should only be used to push a role that you have been working on to a target group in your inventory that's already tagged for the role in the deployment playbook.
Happy hacking!
## Exceptions
Some services, such as AniNIX/Sharingan and AniNIX/Geth, store their configuration in internal datastructures and databases such that we cannot easily export our build for others to use. We will document what we have done for each of these as best we can in the README.md files for others to replicate. Backups of these services into AniNIX/Aether are therefore dumps of these databases and not available to share.
# Available Clients
This service is a management tool -- its files get used by the Ansible toolset. There are no clients to connect directly to this service, as we have chosen a serverless approach.
# Equivalents or Competition
This service is our elected Infrastructure-as-Code solution -- many professional tools like Ansible Tower, Terraform, etc. do the same thing. Some apps ship OVA's, or prebuilt images, of their software. Docker registries also serve as similar way to document the means by which services are built.

48
bin/deploy-role Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
# Role is first argument
role="$1"
if [ -z "$role" ]; then
echo Need a role as first argument.
exit 1
fi
# Handle verbosity
if [ "$1" == "-v" ]; then
set -x
shift
role="$1"
fi
# Handle usage
if [ "$role" == "-h" ] || [ "$role" == "--help" ]; then
echo "Usage: $0 -h"
echo " $0 \$role \$targetgroup [\$optional_inventory]"
exit 0
fi
# Find the root of the git clone
while [ ! -d .git ]; do
cd ..
if [ "$PWD" == '/' ]; then
echo "This needs to be run from the Ubiqtorate checkout"
exit 3
fi
done
# Get the targetgroup
targetgroup="$2"
if [ -z "$targetgroup" ]; then
targetgroup="$role" # Deploy a role to the server named for that function
fi
# Allow an inventory override
inventory="$3"
if [ -z "$inventory" ]; then
inventory=examples/msn0.yml
fi
# Invoke the one-role playbook for the role on the targetgroup
ansible-playbook -i "$inventory" -e "role=$role" -e "targets=$targetgroup" playbooks/one-role.yml
# and return the exit status
exit $?

24
bin/full-deploy Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# Arguments
inventory="$1"
if [ "$inventory" == "-h" ] || [ "$inventory" == "--help" ]; then
echo "Usage: $0 -h # Usage"
echo " $0 # Run a complete deployment."
exit 0
elif [ -z "$inventory" ]; then
inventory="examples/msn0.yml"
fi
# Find the root of the git clone
while [ ! -d .git ]; do
cd ..
if [ "$PWD" == '/' ]; then
echo "This needs to be run from the Ubiqtorate checkout"
exit 3
fi
done
ansible-playbook -i examples/msn0.yml playbooks/deploy.yml

14
bin/generate-mirrorlist Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## United States$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/candidates
cat <<EOM > ../roles/Maat/files/pacoloco.yaml
port: 9129
download_timeout: 3600 # download will timeout after 3600 seconds
cache_dir: /var/cache/pacoloco
purge_files_after: 360000 # 360000 seconds or 100 hours, 0 to disable
repos:
archlinux:
urls:
$(rankmirrors -n 6 /tmp/candidates | sed 's/^Server = / - /' | grep -v generated\ by | cut -f 1 -d \$)
user_agent: Pacoloco
EOM

83
bin/generate-monitoring.py Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env python3
# File: generate-pihole-dns-dhcp.py
#
# Description: This file generates the DNS and DHCP files for pihole.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import subprocess
import sys
import yaml
rolepath='../roles/Sharingan/files'
monfilepath=rolepath+"/monit/checks/availability"
def WriteMonitoringEntry(content,hosttype,hostclass):
### Create the ping-based monitoring entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global monfile
with open(monfilepath,'a') as monfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
hostname= host + '.' + content['all']['vars']['replica_domain']
monfile.write('check program ' + host + '_ping_mon with path "/usr/lib/monitoring-plugins/check_ping -H ' + hostname + ' -w 100,50% -c 1000,100% -p 3 -t 60 -4"\n')
monfile.write(' if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical ' + hostname + ' is not online."\n\n')
except:
print(host + ' is not complete for monitoring.')
def WriteSSHMonitoringEntry(content,hosttype,hostclass):
### Create the ping-based monitoring entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global monfile
with open(monfilepath,'a') as monfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
hostname= host + '.' + content['all']['vars']['replica_domain']
monfile.write('check program ' + host + '_ssh_mon with path "/usr/lib/monitoring-plugins/check_ssh -H ' + hostname + '"\n')
monfile.write(' if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical ' + hostname + ' is not responding to SSH."\n\n')
except:
print(host + ' is not complete for monitoring.')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global monfilepath
if not os.path.isdir(rolepath):
os.mkdir(rolepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
if os.path.isfile(monfilepath): os.remove(monfilepath)
# Add DNS entries for each host
hosttype = 'managed'
for hostclass in ['physical','virtual','geth_hubs']:
#WriteMonitoringEntry(content,hosttype,hostclass)
WriteSSHMonitoringEntry(content,hosttype,hostclass)
hosttype = 'unmanaged'
for hostclass in ['ovas','appliances']:
WriteMonitoringEntry(content,hosttype,hostclass)
if __name__ == '__main__':
if len(sys.argv) != 2:
print("You need to supply an inventory file.")
sys.exit(1)
GenerateFiles(sys.argv[1])
sys.exit(0)

86
bin/generate-pihole-dns-dhcp.py Executable file
View File

@ -0,0 +1,86 @@
#!/usr/bin/env python3
# File: generate-pihole-dns-dhcp.py
#
# Description: This file generates the DNS and DHCP files for pihole.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import subprocess
import sys
import yaml
rolepath='../roles/Nazara/files'
dnsfilepath=rolepath+"/dns"
dhcpfilepath=rolepath+"/dhcp"
def WriteDHCPEntry(content,hosttype,hostclass):
### Create the DHCP entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global dhcpfile
with open(dhcpfilepath,'a') as dhcpfile:
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n')
except:
print(host + ' is not complete for DHCP.')
def WriteDNSEntry(content,hosttype,hostclass):
### Create the DNS entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global dnsfile
with open(dnsfilepath,'a') as dnsfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n')
except:
print(host + ' is not complete for DNS.')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global dnsfile
if not os.path.isdir(rolepath):
os.mkdir(rolepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
# Clear the DNS file
with open(dhcpfilepath,'w') as dhcpfile:
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
with open(dnsfilepath,'w') as dnsfile:
vips=subprocess.run(["/bin/bash", "-c", "echo | openssl s_client -connect "+content['all']['vars']['external_domain']+":443 | openssl x509 -text -noout | grep DNS: | tr ',' '\n' | sed 's/\s\+DNS://' | grep -ivE ^"+content['all']['vars']['external_domain']+" | tr '\n' ' '"], capture_output=True).stdout.decode("utf-8")
dnsfile.write(content['all']['vars']['webfront']+' '+content['all']['vars']['external_domain']+' '+vips+"\n")
# Add DNS entries for each host
hosttype = 'managed'
for hostclass in ['physical','virtual','geth_hubs']:
WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass)
hosttype = 'unmanaged'
for hostclass in ['ovas','test_ovas','appliances','adhoc_appliances','iot']:
WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass)
if __name__ == '__main__':
if len(sys.argv) != 2:
print("You need to supply an inventory file.")
sys.exit(1)
GenerateFiles(sys.argv[1])
sys.exit(0)

21
bin/generate-ssh-keyscan Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
# File: gen-ssh-keyscan
#
# Description: This file generates a known_host block for the inventory.
#
# Package: AniNIX/HelloWorld
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
inventory="$1"
replicadomain="$(grep replica_domain:\ "$inventory" | awk '{ print $2; }';)"
for short in `ansible -i "$inventory" --list-hosts managed | grep -v hosts | sed 's/^\s\+//'`; do
long="$short"'.'"$replicadomain"
ip="$(dig "$long" +short)"
ssh-keyscan -t ed25519 -f <(echo "$long" "$long","$short","$ip") 2>&1
ssh-keyscan -t rsa -f <(echo "$long" "$long","$short","$ip") 2>/dev/null
done

95
bin/generate-systemd-vms.py Executable file
View File

@ -0,0 +1,95 @@
#!/usr/bin/env python3
# File: generate-systemd-vms.py
#
# Description: This file generates the systemd.service files that run our VM's
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import shutil
import sys
import yaml
filepath="roles/Node/files/vm-definitions/"
def WriteVMFile(content,hosttype,hostclass):
### Create the service files for the hosts
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global filepath
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
cores = 0
memory = 0
vnc = 0
disks = ''
mac = ''
bridge = ''
# Make sure the host definition has all the critera
try:
cores = str(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['cores'])
memory = str(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['memory'])
vnc = str(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vnc'])
disks = ' '.join(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['disks'])
mac = content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac']
bridge = content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['bridge']
except Exception as e:
print('Host ' + host + " doesn't have the attributes needed to be a VM -- skipping.")
print(e)
1 == 1
# Write the file.
with open(filepath+host+'-vm.service','w') as vmfile:
vmfile.write('[Unit]\n')
vmfile.write('Description=AniNIX/' + host + '\n')
vmfile.write('After=network.target\n')
vmfile.write('\n')
vmfile.write('[Service]\n')
vmfile.write('ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/' + host + ' -machine type=pc,accel=kvm')
if 'uefi' in content['all']['children'][hosttype]['children'][hostclass]['hosts'][host].keys(): vmfile.write(' -bios /usr/share/edk2-ovmf/x64/OVMF.fd')
vmfile.write(' -cpu qemu64 -smp ' + cores + ' ' + disks + ' -net nic,macaddr=' + mac + ',model=virtio -net bridge,br=' + bridge + ' -vga std -nographic -vnc :' + str(vnc) + ' -m size=' + str(memory) + 'G -device virtio-rng-pci\n')
vmfile.write('ExecReload=/bin/kill -HUP $MAINPID\n')
vmfile.write('KillMode=process\n')
vmfile.write('Restart=always\n')
vmfile.write('User=root\n')
vmfile.write('Group=root\n')
vmfile.write('\n')
vmfile.write('[Install]\n')
vmfile.write('WantedBy=multi-user.target\n')
print(host+'-vm.service')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global filepath
try:
shutil.rmtree(filepath)
except:
1 == 1
finally:
os.mkdir(filepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
# Add service files for each host
WriteVMFile(content,'managed','virtual')
WriteVMFile(content,'unmanaged','ovas',
WriteVMFile(content,'unmanaged','test_ovas')
if __name__ == '__main__':
if len(sys.argv) != 2:
print("You need to supply an inventory file.")
sys.exit(1)
GenerateFiles(sys.argv[1])
sys.exit(0)

18
bin/reverse-copy Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
if [ "$USER" != root ]; then
sudo $0 $@
exit 0
fi
grep -A 2 copy: tasks/main.yml | tr '\n' ' ' | sed 's/--/\n/g' | while read copyline; do
dest="$(echo "$copyline" | sed 's/ /\n/g' | grep src: | awk '{ print $2; }' )"
src="$(echo "$copyline" | sed 's/ /\n/g' | grep dest: | awk '{ print $2; }' )"
if [ -d "$src" ]; then
cp -r "$src"/* files/"$dest"
else
cp -r "$src" files/"$dest"
fi
chown -R "$SUDO_USER": files/"$dest"
done

91
bin/tmux-hosts Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
# File: tmux-hosts
#
# Description: This script allows you to open groups of hosts in 2x2 tmux panes
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://irc.aninix.net:6697/DarkFeather>
# Sanity
set -Eo pipefail
# Defaults
group=all
offset=0
unset inventory
function usage() {
# Show helptext
# param retcode: what to exit
retcode="$1"
echo "Usage: $0 [ -o offset ] [-g group ] -i inventory.yml"
echo " $0 -h"
echo "Group is optional -- add it if you only want to look at a specific subset."
echo "Add -v for verbosity."
exit "$retcode"
}
function tmuxHosts() {
# Open hosts in Tmux -- ported from pnp/misc-scripts.git geotmux
# param host1: the first host
# param host2: the second host
# param host3: the third host
# param host4: the fourth host
host1="$1"
host2="$2"
host3="$3"
host4="$4"
name="$group-$offset"
# If no TMUX session started, then add one with four panes.
if [ -z "$TMUX" ]; then
tmux new-session -s "$name" -d "/bin/bash -l -c ssh\\ $host1"
tmux select-window -t "$name":0
tmux split-window "/bin/bash -l -c ssh\\ $host2"
tmux split-window -h -t 0 "/bin/bash -l -c ssh\\ $host3"
tmux select-window -t "$name":1
tmux split-window -h -t 2 "/bin/bash -l -c ssh\\ $host4"
tmux setw synchronize-panes
tmux a -d -t "$name"
# Otherwise, add a new window to the current session with all four sessions.
else
tmux new-window -n "$name" "/bin/bash -l -c ssh\\ $host1"
tmux select-window -t "$name"
tmux split-window "/bin/bash -l -c ssh\\ $host2"
tmux select-window -t "$name"
tmux split-window -h -t 0 "/bin/bash -l -c ssh\\ $host3"
tmux select-window -t "$name"
tmux split-window -h -t 2 "/bin/bash -l -c ssh\\ $host4"
tmux setw synchronize-panes
tmux select-window -t "$name"
fi
}
# main
if [ "$(basename $0)" == "tmux-hosts" ]; then
while getopts 'g:hi:o:v' OPTION; do
case "${OPTION}" in
g) group="${OPTARG}" ;;
h) echo Open Ansible hosts in TMUX panes.; usage 0 ;;
i) inventory="${OPTARG}" ;;
o) offset="${OPTARG}" ;;
v) set -x ;;
*) usage 1 ;;
esac
done
if [ -z "$inventory" ]; then
echo Need an inventory.
usage 2;
fi
tmuxHosts $(ansible -i "$inventory" --list-hosts "$group"\
| grep -v hosts\ \( \
| sed 's/\s\+//g' \
| if [ $offset -gt 0 ]; then tail -n +"${offset}"; else cat; fi \
| head -n 4 \
| tr '\n' ' ')
fi

267
examples/msn0.yml Normal file
View File

@ -0,0 +1,267 @@
all:
vars:
# Environment-wide data
external_domain: aninix.net
replica_domain: "MSN0.AniNIX.net"
time_zone: "America/Chicago"
# Services used by all
router: 10.0.1.1
netmask: 24
dhcprange: '10.0.1.224,10.0.1.254,255.255.255.0,12h'
staticrange: '10.0.1.1,10.0.1.223,255.255.255.0,12h'
dns: "10.0.1.2"
logserver: "10.0.1.16"
webfront: "10.0.1.3"
mirroruri: "http://Maat.MSN0.AniNIX.net:9129/repo/archlinux/$repo/os/$arch"
# Standards
daemon_shell: /sbin/nologin
user_shell: /bin/bash
ansible_become_method: sudo
ansible_become_user: root
static: false
wireless_ssid: 'Shadowfeed'
ansible_python_interpreter: auto_silent
ldap:
server: "10.0.1.3"
orgdn: "dc=aninix,dc=net"
binduser: 'binduser'
userou: 'ou=People'
organization: # Information about the group
admin: 'DarkFeather'
email: 'ircs://irc.aninix.net:6697/DarkFeather'
displayname: 'AniNIX'
gpgkey: '904DE6275579CB589D85720C1CC1E3F4ED06F296'
ssl: # Standard SSL cryptographic standards
identity: 'aninix.net-0001' # The Let's Encrypt identity to use
ciphersuite: "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
children:
managed:
children:
physical: # 10.0.1.0/28
hosts:
Nazara:
ipinterface: eth0
ip: 10.0.1.2
mac: B8:27:EB:B6:AA:0C
static: true
Core:
ipinterface: enp1s0f0
ip: 10.0.1.3
mac: 00:25:90:0d:6e:86
static: true
sslidentity: aninix.net-0001
secdetection: true
iptv_location: "Milwaukee|Madison"
aether_source: true
Node0:
ipinterface: enp1s0f0
ip: 10.0.1.4
mac: DE:8B:9E:19:55:1D
tap: true
Node1:
ipinterface: enp1s0f0
ip: 10.0.1.5
mac: B0:41:6F:0D:47:E1
tap: true
Node2:
ipinterface: enp1s0f0
ip: 10.0.1.7
mac: B0:41:6F:0D:41:D1
tap: true
Node3:
ipinterface: enp1s0f0
ip: 10.0.1.8
mac: B0:41:6F:0D:51:0E
tap: true
virtual: # 10.0.1.16/28
vars:
hosts:
Sharingan:
ip: 10.0.1.16
ipinterface: ens3
mac: 00:15:5D:01:02:10
cores: 4
memory: 4
vnc: 8
bridge: br0
uefi: true
siem: true
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
# On hold because of https://aninix.net/DarkFeather/MSN0/issues/6
holdpkg: "elasticsearch graylog mongodb44-bin mongodb-tools-bin"
DarkNet:
ipinterface: ens3
ip: 10.0.1.17
mac: 00:15:5D:01:02:05
cores: 2
memory: 2
vnc: 9
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdd'
Maat:
ip: 10.0.1.18
ipinterface: ens3
mac: 00:15:5d:01:02:07
cores: 2
memory: 2
bridge: br0
vnc: 7
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/Maat.qcow2'
geth_hubs: # 10.0.1.32/28
vars:
motion_enabled: yes
hosts:
Geth-Hub-1:
ip: 10.0.1.32
mac: 84:16:F9:14:15:C5
rotate: 0
remote: NS-RC4NA-14
Geth-Hub-2:
ip: 10.0.1.33
mac: 84:16:F9:13:B6:E6
motion_enabled: no
rotate: 180
remote: NS-RC4NA-14
Geth-Hub-3:
ip: 10.0.1.34
mac: b8:27:eb:60:73:68
rotate: 90
remote: LG-AKB73715608
unmanaged:
children:
# Both OVA groups are in the same subnet -- test_ovas aren't monitored
ovas: # 10.0.1.48/28
hosts:
Geth:
ip: 10.0.1.49
mac: DE:8B:9E:19:55:1E
cores: 2
memory: 2
vnc: 6
bridge: br0
uefi: true
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/hassos_ova-5.13.qcow2'
test_ovas: # 10.0.1.48/28
hosts:
TDS-Jump:
ip: 10.0.1.48
mac: 00:15:5d:01:02:08
cores: 2
memory: 2
vnc: 4
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/TDSJump.qcow2'
DedNet:
ip: 10.0.1.50
mac: 00:15:5d:01:02:09
cores: 2
memory: 2
vnc: 3
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/DedNet.qcow2'
- '-cdrom /srv/maat/iso/kali-linux.iso -boot order=d'
Aether:
ip: 10.0.1.51
mac: 00:15:5d:01:02:11
cores: 2
memory: 2
vnc: 5
bridge: br0
disks:
- '-drive if=none,id=disk0,cache=none,format=raw,aio=native,file=/dev/sdc'
- '-cdrom /srv/maat/iso/archlinux.iso -boot order=d'
test1:
ip: 10.0.1.52
ipinterface: ens3
mac: 00:15:5d:01:02:06
cores: 2
memory: 2
bridge: br0
vnc: 10
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
test2:
ip: 10.0.1.53
ipinterface: ens3
mac: 00:15:5d:01:02:03
cores: 2
memory: 2
bridge: br0
vnc: 11
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
test3:
ip: 10.0.1.54
ipinterface: ens3
mac: 00:15:5d:01:02:04
cores: 2
memory: 2
bridge: br0
vnc: 12
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
# appliances are monitored -- adhoc_appliances are convenience only and not monitored.
appliances:
hosts: # 10.0.1.64/27
Shadowfeed: # Router must be at root
ip: 10.0.1.1
mac: 2c:30:33:64:f4:03
Print: # Print is excepted for legacy setup reasons before we laid out subnets.
ip: 10.0.1.6
mac: 00:80:92:77:CE:E4
Geth-Eyes:
ip: 10.0.1.68
mac: 9C:A3:AA:33:A3:99
"Core-Console":
ip: 10.0.1.74
mac: 00:25:90:0D:82:5B
"Node0-Console":
ip: 10.0.1.75
mac: 00:25:90:3E:C6:8C
adhoc_appliances:
hosts: # 10.0.1.64/27
DarkFeather:
ip: 10.0.1.64
mac: D0:40:EF:D4:14:CF
Lykos:
ip: 10.0.1.65
mac: 70:74:14:4F:8E:42
Games:
ip: 10.0.1.66
mac: E0:BE:03:77:0E:88
LivingRoomTV:
ip: 10.0.1.69
mac: 80:D2:1D:17:63:0E
BedRoomTV:
ip: 10.0.1.70
mac: 80:D2:1D:17:63:0F
TrainingRoomTV:
ip: 10.0.1.71
mac: 80:D2:1D:17:63:10
Tachikoma:
ip: 10.0.1.72
mac: 90:0f:0c:1a:d3:23
Dedsec:
ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F
# dhcp build space: 10.0.1.224/27
iot: # 10.0.2.0/24
hosts:
LinKeuei:
ip: 10.0.2.2
mac: 64:16:66:08:57:F5
Canary:
ip: 10.0.2.3
mac: 18:B4:30:2F:F1:37
Charon:
ip: 10.0.2.4
mac: 64:52:99:14:28:2B
Skitarii-1:
ip: 10.0.2.5
mac: 40:9F:38:95:06:34

79
playbooks/deploy.yml Normal file
View File

@ -0,0 +1,79 @@
---
# deploy.yml
#
# This playbook details how an entire datacenter should be deployed
#
# Parameters:
# threads: Number of threads to use; default is 16.
#
- hosts: Nazara
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
vars:
- ansible_password: "{{ passwords[inventory_hostname] }}"
- ansible_become_password: "{{ passwords[inventory_hostname] }}"
roles:
- Nazara
- hosts: managed
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
vars: # This is the only segment that should need these variables, as the basics role should take care of sudo and the SSH key.
- ansible_password: "{{ passwords[inventory_hostname] }}"
- ansible_become_password: "{{ passwords[inventory_hostname] }}"
roles:
- ShadowArch
- SSH
- Sharingan
- hosts: Core
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- hardware
- SSL
- WebServer
- IRC
- hosts: geth_hubs
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- Geth-Hub
- hosts: Node0
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- hardware
- Node
- hosts: DarkNet
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- DarkNet

27
playbooks/disable-archlinux-keyring-wkd-sync.yml Normal file
View File

@ -0,0 +1,27 @@
# This playbook disables the archlinux-keyring-wkd-sync.service and timer, because they tend to fail for bad reasons.
#
---
- hosts: managed
ignore_errors: true
gather_facts: true
become: yes
tasks:
- name: Disable services & timers
when: ansible_os_family == "Archlinux"
service:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- archlinux-keyring-wkd-sync.timer
- archlinux-keyring-wkd-sync.service
- name: Reset failed
when: ansible_os_family == "Archlinux"
command: "systemctl reset-failed {{ item }}"
loop:
- archlinux-keyring-wkd-sync.timer
- archlinux-keyring-wkd-sync.service

61
playbooks/geth-major-patch.yml Normal file
View File

@ -0,0 +1,61 @@
---
# patching.yml
#
# This playbook can be used to patch all the servers in an inventory to the latest on the repo servers
# Variables:
# - hosts: the host grouper in the inventory -- default: all
# - action: update or upgrade -- default: update
# - delay: minutes to wait after a reboot -- default 5
#
#
# Patch then restart a node
- hosts: "{{ targets | default('geth_hubs') }}"
order: sorted
ignore_unreachable: true
serial: 1
vars:
ansible_become: yes
ansible_become_method: sudo
oldmajor: stretch
newmajor: buster
tasks:
- name: Check /var free percentage
command: /bin/bash -c "df -m /var | tail -n 1 | awk '{ print $5; }' | sed 's/%//' "
become: no
register: df_output
- name: Verify /var space
assert:
that:
- 90 > {{ df_output.stdout }}
fail_msg: "Not enough free space"
- apt:
name: python-apt
state: present
- name: apt dist-upgrade
apt:
update_cache: yes
upgrade: dist
ignore_errors: yes
- name: Replace repo
command: "sed -i 's/{{ oldmajor }}/{{ newmajor }}/g' /etc/apt/sources.list"
become: yes
- name: Update packages
apt:
upgrade: full
update_cache: yes
autoremove: yes
autoclean: yes
ignore_errors: yes
# - name: Perform firmware-update
# command: rpi-update
# become: yes
- reboot:
- wait_for_connection:

29
playbooks/one-role.yml Normal file
View File

@ -0,0 +1,29 @@
# ---
# one-role.yml
#
# Test a single role against a host or group of hosts.
#
# Parameters:
# targets: group in the inventory to use
# threads: number of simultaneous executions
# role: role to run
# sshport (optional): override 22/tcp/ssh for Ansible control
#
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
#
- hosts: "{{ targets | default('all') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true
ignore_unreachable: true
vars:
ansible_ssh_port: "{{ sshport | default('22') }}"
therole: "{{ role | default('Uptime') }}"
ansible_become_password: "{{ passwords[inventory_hostname] }}"
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- "{{ therole }}"

27
playbooks/patching-verification.yml Normal file
View File

@ -0,0 +1,27 @@
---
# patching.yml
#
# Variables:
# - hosts: what hosts in the inventory to use
# - threads: how many to check in parallel
- hosts: "{{ hosts | default('managed') }}"
order: sorted
serial: "{{ threads | default('4') }}"
ignore_unreachable: true
vars:
ansible_become: no
tasks:
- name: Check updates
yum:
list=updates
update_cache=true
ignore_errors: true
register: yumupdates
- name: Patching succeeded
ignore_errors: true
assert:
that:
- yumupdates.results|length == 0
- df_output.stdout is search("rhel-7-server-rpms-nist")

44
playbooks/patching.yml Normal file
View File

@ -0,0 +1,44 @@
---
# patching.yml
#
# This playbook can be used to patch all the servers in an inventory to the latest software available.
# Because we typically encrypt our disk storage, we don't wait for the connection to become available again.
# Variables:
# - target: the host grouper in the inventory -- default: all
#
# Patch then restart a node
#
#
- hosts: physical,virtual
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
tasks:
- package:
name: archlinux-keyring
state: latest
- hosts: virtual,geth-hubs
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- patching
- hosts: physical
order: sorted
ignore_unreachable: true
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- patching

1
playbooks/roles Symbolic link
View File

@ -0,0 +1 @@
../roles/

39
playbooks/sshkey.yml Normal file
View File

@ -0,0 +1,39 @@
# ---
# sshkey.yml
#
# ssh-keyscan and copy your SSH key to hosts
#
# Parameters:
# targets: group in the inventory to use
# threads: number of simultaneous executions
# pubkey: file to hand off
# sshport (optional): override 22/tcp/ssh for Ansible control
#
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
#
- hosts: "{{ targets | default('managed') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true
ignore_unreachable: true
vars:
ansible_ssh_password: "{{ passwords[inventory_hostname] }}"
ansible_ssh_port: "{{ sshport | default('22') }}"
keyfile: "{{ pubkey | default(lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}"
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
tasks:
# Scanning SSH keys has been replaced with ../bin/generate-ssh-keyscan
- name: Get key
delegate_to: localhost
command: "cat {{ keyfile }}"
register: key
- authorized_key:
user: "{{ ansible_user_id }}"
key: "{{ key.stdout }}"
state: present
exclusive: true
name: "Pass authorized key"

28
playbooks/vars-debugging.yml Normal file
View File

@ -0,0 +1,28 @@
# ---
# one-role.yml
#
# Test a single role against a host or group of hosts.
#
# Parameters:
# targets: group in the inventory to use
# threads: number of simultaneous executions
# variablename: the variable to print
# sshport (optional): override 22/tcp/ssh for Ansible control
#
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
#
- hosts: "{{ targets | default('managed') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true
ignore_unreachable: true
vars:
ansible_ssh_port: "{{ sshport | default('22') }}"
variablename: "{{ variable | default('ansible_os_family') }}"
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
tasks:
- debug:
msg: "{{ lookup('vars',variablename) | default('undefined') }}"

58
precommit-hooks/find-bad-ipam Executable file
View File

@ -0,0 +1,58 @@
#!/usr/bin/bash
# File: find-bad-ipam
#
# Description: This file finds bad IPAM entries in an inventory.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
file="examples/msn0.yml"
function findBadTerm() {
### Check for a term to be duplicated.
# param file: the file
# param term: the term to search for duplicates
file="$1"
term="$2"
results="$(grep -i "$term:" "$file" | tr '[[:upper:]]' '[[:lower:]]' | sed 's/\s+'"$term"':\s*//' | sort | uniq -c | grep -vE '^\s+1\s+' )"
if [ -n "$results" ]; then
echo "Some ${term} entries are duplicated. Search for the above terms in your inventory and deduplicate."
echo "$results"
exit 2
fi
}
function Usage() {
### Helptext
# param retcode: what to return
retcode="$1"
echo "Usage: $0 -f SOMEFILE"
echo " $0 -h"
echo "Add -v for verbosity."
exit $retcode
}
while getopts 'f:hv' OPTION; do
### Parse arguments
case "$OPTION" in
f) file="$OPTARG" ;;
h) echo "Find bad IPAM entries in an inventory." ; Usage 0 ;;
v) set -x ;;
*) Usage 1 ;;
esac
done
# Sanity check
if [ -z "$file" ] || [ ! -f "$file" ]; then
echo Need an inventory to process.
Usage 3;
fi
# Check for the unique attributes.
for i in ip vnc mac; do
findBadTerm "$file" "$i"
done

9
precommit-hooks/find-data-files Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
result="$(find roles/*/{files,templates} -type f -exec file {} \; | grep -Ev ASCII\ text\|empty\|Unicode\ text | grep -v motd.txt.j2)"
if [ -n "$result" ]; then
echo "These files need to be evaluated -- generally, don't commit data files to Git."
echo "$result"
exit 1
fi
exit 0

0
precommit-hooks/find-incomplete-roles Normal file
View File

12
precommit-hooks/find-large-files Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
# Limit files in git to 1M.
IFS="
"
git ls-files | xargs -n1 du -k | grep -vE '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
if [ $? -ne 1 ]; then
echo
echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
exit 1;
fi

14
precommit-hooks/find-missing-customizations Normal file
View File

@ -0,0 +1,14 @@
#!/bin/bash
retcode=0
for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
echo "Need MOTD for $host"
retcode=1;
fi
if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
echo "Need Sharingan-Data file for $host"
retcode=1;
fi
done
exit $retcode

30
precommit-hooks/find-passwords-in-files Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Ignore Ansibilized templates.
saferegex='\{\{.+\}\}|secrets\['
# Ignore comments
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//|\s+[/]?[*][/]?\s+'
# AniNIX Constructs
saferegex="$saferegex"'|password.aninix.net|aur.list'
# Web constructs
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex="$saferegex"'|haveibeenpwned'
# Unset variables.
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
# Ignore IRC Modules
saferegex="$saferegex"'|m_password_hash.so|/quote ns identify|SELECT|password_attribute|SET PASS|SASET PASS'
# Ignore SSH known hosts
saferegex="$saferegex""|ssh_known_hosts:|"
git ls-files roles/*/{files,templates} | xargs grep -irE 'secret|password|pw|passphrase|pass=' | grep -vE "$saferegex"
if [ $? -ne 1 ]; then
echo
echo If these are false positives, you need to add the signature to the whitelist in $0.
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
exit 1;
fi

4
requirements.txt Normal file
View File

@ -0,0 +1,4 @@
pyaml
pytest
python3-nmap
simplejson

15
roles/Cyberbrain/README.md Normal file
View File

@ -0,0 +1,15 @@
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).
# Etymology
A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user.
# Relevant Files and Software
This service uses a file, [/etc/conf.d/webssh](file:///etc/conf.d/webssh), to control the service. Additionally, there's a password file [/opt/openresty/nginx/passwords/cyberbrain.htpasswd](file:///opt/openresty/nginx/passwords/cyberbrain.htpasswd) that controls an initial authentication to the webserver socket.
## Backups
No backup is needed.
# Available Clients
This uses the same clients as [AniNIX/WebServer](../WebServer). Any browser will do.

22
roles/Cyberbrain/files/cyberbrain.conf Normal file
View File

@ -0,0 +1,22 @@
server {
listen 443 ssl http2;
server_name cyberbrain.aninix.net;
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
location /
{
auth_basic "Cyberbrain";
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
proxy_pass http://127.0.0.1:8822;
proxy_http_version 1.1;
proxy_read_timeout 300;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
}
}

10
roles/Cyberbrain/files/cyberbrain.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=AniNIX/Cyberbrain | SSH Web Front End, powered by python-webssh
[Service]
User=webssh
EnvironmentFile=/etc/conf.d/webssh
ExecStart=/usr/bin/wssh $WEBSSH_ARGS
[Install]
WantedBy=multi-user.target

71
roles/Cyberbrain/tasks/main.yml Normal file
View File

@ -0,0 +1,71 @@
---
- name: Install python-webssh
become: yes
package:
name: python-webssh
state: present
- name: Standardize the servicefile
become: yes
register: servicefile
copy:
src: cyberbrain.service
dest: /usr/lib/systemd/system/cyberbrain.service
owner: root
group: root
mode: 0644
- name: Ensure default webssh service file is off.
become: yes
service:
name: webssh
state: stopped
enabled: no
- systemd:
daemon_reload: true
when: servicefile.changed
become: yes
- name: Ensure service is restarted
when: servicefile.changed
become: yes
service:
name: cyberbrain.service
enabled: yes
state: started
- name: Ensure service is started
when: not servicefile.changed
become: yes
service:
name: cyberbrain.service
enabled: yes
state: started
- name: Add the webserver conf file
become: yes
register: webserver_conf
copy:
src: cyberbrain.conf
dest: /opt/openresty/nginx/conf.d/cyberbrain.conf
owner: root
group: http
mode: 0750
- name: Ensure the password file is seeded
become: yes
template:
src: cyberbrain.htpasswd.j2
dest: /opt/openresty/nginx/passwords/cyberbrain.htpasswd
owner: root
group: http
mode: 0750
- name: Reload openresty
become: yes
when: webserver_conf.changed
service:
name: openresty.service
state: reloaded

1
roles/Cyberbrain/templates/cyberbrain.htpasswd.j2 Normal file
View File

@ -0,0 +1 @@
cyberbrain:{PLAIN}{{ passwords.Cyberbrain }}

27
roles/DarkNet/README.md Normal file
View File

@ -0,0 +1,27 @@
The DarkNet VM is the privacy protection of the AniNIX. The AniNIX does not believe in security by obscurity or in censorship; as such, everyone should have a voice. VPN access is an assurance to content despite censorship and obfuscation for cases where free speech would normally come with some form of repercussions, despite the UN standards for human rights.
# Etymology
The DarkNet is named for an anonymous network whose access is controlled only by the admins and whose usage is known only to them. It's entirely closed and anonymous.
# Capacity and Components
A basic VM to provide DarkNet functionality in an AniNIX replica only needs the following resources:
* [ShadowArch](/AniNIX/ShadowArch)
* 1 core
* 1024M of RAM
* Virtualized NIC
* 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled
# Hosted Services
The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN.
```
nordvpn whitelist add subnet $subnet/$cidr
```
## Abilities
* Encrypted storage by default to a passphrase known only to admins.
* Tor proxy service, integrated with both text lynx and GUI tor-browser-en browsers.
* Lynx is aliased to "torsocks lynx" globally
* Anonymous VPN via NordVPN

67
roles/DarkNet/tasks/main.yml Normal file
View File

@ -0,0 +1,67 @@
---
- name: DarkNet packages
become: yes
package:
name:
- deluge
- deluge-gtk
- openvpn
- nordvpn-bin
- tor
- torsocks
- tor-browser-en
- name: OpenVPN config
become: yes
get_url:
url: "{{ secrets.DarkNet.vpnserver }}"
dest: /etc/openvpn/client/darknet.conf
mode: 0600
owner: openvpn
group: network
- name: OpenVPN Auth part 1
become: yes
lineinfile:
path: /etc/openvpn/client/darknet.conf
regexp: ^auth-user-pass
line: auth-user-pass /etc/openvpn/client/darknet.auth
- name: OpenVPN Auth part 2
become: yes
lineinfile:
path: /etc/openvpn/client/darknet.conf
regexp: ^dev
line: dev tun0
- name: OpenVPN Auth part 3
become: yes
copy:
dest: /etc/openvpn/client/darknet.auth
content: "{{ secrets.DarkNet.token }}"
mode: 0600
owner: openvpn
group: network
- name: "Enable daemons"
become: yes
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- tor.service
- nordvpnd.service
- deluged.service
- openvpn-client@darknet.service
- name: BashRC customization
become: yes
copy:
dest: /etc/profile.d/darknet
content: |
alias torlynx='torsocks elinks https://check.torproject.org/'
mode: 0644
owner: root
group: root

8
roles/DedSec/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# Consider https://blackarch.org/blackarch-guide-en.pdf
- name: Install DedSec packages
become: yes
package:
name:
- tcpdump
- wireshark

65
roles/Foundation/README.md Normal file
View File

@ -0,0 +1,65 @@
The Foundation is a one-stop shop for source code from AniNIX developers -- it's an open repository form which people can pull source code and recreate the entities being used by the AniNIX. You can view its web frontend from [https://aninix.net/foundation this webpage].
# Etymology
The etymology of the Foundation is twofold. First and foremost, the AniNIX attempts to automate any new package it is using as much as possible, and as such the Foundation holds the very basis on which the AniNIX is built.
Secondly, the Foundation is the third piece of the charity trinity for the AniNIX, along with the Wiki and the [https://aninix.net/pages/charity.php short-term charity projects]. The AniNIX puts a lot of time into designing its projects and making sure they work. Rather than forcing others to redo this work, we offer commented code and documentation so that the process is transparent but the work-by-hand is minimized.[[Category:Charity]]
# Relevant Files and Software
The Git system was created by the Linux project to manage changes to the kernel and has been on the rise for some time among Version Control Systems (VCS's) with projects like GitHub. The AniNIX self-hosts the repositories in [file:///srv/foundation/ the Foundation server folder] on [[Core]].
[[WebServer]] is configured to translate the repository to [https://aninix.net/foundation/ the Web-accessible format] via the ArchLinux cgit package. Review the package list at that link and identify the source packages you want to use. Then use the following to clone the source, generally best done to /usr/local/src/ on Linux. Please note that the AniNIX uses Webserver translation to eliminate the need for a .git suffix -- web requests will show in CGIT, while Git clone requests will pull the package all from the same URL. Right-click on your package of choice from the web interface's index page and then clone that address. <pre>
git clone https://aninix.net/foundation/<packagename>
</pre>
New packages should make sure to refer to the [[Development Best Practices]] to ensure they are compliant with standards; if you notice an issue with the Foundation's code, make sure to submit a [[QANs|QAN]]. [[TeamGreen|AniNIX::TeamGreen]] should be running regressions on these projects.
You can use [https://aur.archlinux.org/packages/hexedit-advanced-search/ Hexedit] to edit [file:///usr/share/webapps/cgit/cgit.cgi cgit.cgi] to have a different name, such as "AniNIX::Foundation Web".
## Dependencies
For CentOS, one needs to use the following steps to install Mono. Packages like Cryptoworkbench, Heartbeat, Cerberus, and others require this.
* yum install bison gettext glib2 freetype fontconfig libpng libpng-devel libX11 libX11-devel glib2-devel libgdi* libexif glibc-devel urw-fonts java unzip gcc gcc-c++ automake autoconf libtool make bzip2 wget
* [https://download.mono-project.com/sources/mono/ Download Mono source]
* tar xjvf the source package
* configure; make; make install
*Note:* We used to declare the INSTALLER variable at the top of Makefiles, but no longer do. Non-ShadowArch installs should double check dependencies against the PKGBUILD files manually. We will try to keep this list short.
# Available Clients
To get a client to access the Foundation, use one of the following or visit
* ArchLinux: pacman -S git
* Ubuntu: apt-get install git
* RHEL/CentOS: yum install git
* Windows: [https://git-scm.com/download/win Go here], but please be aware that file paths and such are coded for Linux. Windows users will need to conduct extensive code review to install these packages.
* Mac: [https://git-scm.com/download/mac Go here]
Each package will need to be checked out individually.
**Alternatively**: ArchLinux users can add the following segment to the bottom of pacman.conf to install the packages as bundled by the AniNIX. We're working on adding GPG signing -- in the meantime, security-conscious users should build from source anyway.
<pre>
[AniNIX::Foundation]
SigLevel = Optional TrustAll
Server = https://aninix.net/foundation/
</pre>
# Equivalents or Competition
The most famous equivalent is [https://github.com GitHub]. Other source code control systems exist, including some provided by employers or academic institutions -- GitLab provides an enterprise-style implementation. Other protocol implementations vary widely -- Mercurial, Bazaar, and SVN are other revision control systems others use. We appreciate the flexibility of Git.
# Additional Reference
Some core Git tools are leveraged in specific ways for the AniNIX.
## Config for Author
Even though the [[Talk:IRC#Why_Not_SMTP|AniNIX doesn't use SMTP]], we still use the @aninix.net suffix for the user.email config property on branches. All commits, therefore, should have the proper-case of the user's [[IRC|AniNIX::IRC]] handle as the user.name attribute, and the lower-cased username followed by @aninix.net for the user.email attribute.
## Tags for Semantic Versioning
We version our projects according to [https://semver.org/ Semantic Versioning] -- this versioning is established using the git tag as major and minor version, the git commit as the patch, and the number of commits since the tag as the ArchLinux release note.
[https://aninix.net/cgit/cgit.cgi/HelloWorld/tree/PKGBUILD Our HelloWorld PKGBUILD] demonstrates this -- most of the metadata for the package is populated directly by git, and only dependencies are tracked in the PKGBUILD itself.
## Branches for Functional Improvements
All major functional improvements being worked should be tracked in a branch. The branch name should be the same as the [[QANs|QAN]] for which the branch was started or the functional concept's shortname.
## Filter-branch to Prune
Git maintains a history of all files. If you need to remove files permanently, GitHub maintains [https://help.github.com/articles/removing-sensitive-data-from-a-repository/ an article] on how to use "git filter-branch" to purge it.
}}
[[Category:Public_Service]]

64
roles/Foundation/files/custom/bin/gen-aninix-custom Normal file
View File

@ -0,0 +1,64 @@
#!/bin/bash
URI=https://aninix.net/assets/css/theme-arc-green.css
# Gitea arc-green palette
BOLDTEXT='#87ab63'
TEXT='#9e9e9e'
BGCOLOR='#383c4a'
ACCENTBG='#353945'
HEADERBG='#404552'
ROW='#2a2e3a'
HOVER='#a0cc75'
NAV='#2e323e'
# AniNIX palette
ANINIXBOLD='#df0000'
ANINIXTEXT='#ffffff'
ANINIXBG='#000000'
ANINIXACCENTBG='#303030'
ANINIXHEADERBG='#151515'
ANINIXROW='#2a2a2a'
ANINIXHOVER='#af0000'
ANINIXNAV='#000000'
(curl -ks "$URI"; echo; echo ".home a {
color: $ANINIXBOLD;
}
.bounding {
border: 1px solid #FFF;
border-radius: 15px;
margin: 0;
margin-top: 20px;
padding: 10px;
background-color: #000;
margin-bottom: 30px;
display: block;
}
body {
background-color: $ANINIXBG;
color: $ANINIXTEXT;
}
a {
color: $ANINIXBOLD;
}
") \
| sed "s/$BOLDTEXT/$ANINIXBOLD/gI" \
| sed "s/$TEXT/$ANINIXTEXT/gI" \
| sed "s/$ACCENTBG/$ANINIXACCENTBG/gI" \
| sed "s/$HEADERBG/$ANINIXHEADERBG/gI" \
| sed "s/$ROW/$ANINIXROW/gI" \
| sed "s/$NAV/$ANINIXNAV/gI" \
| sed "s/$HOVER/$ANINIXHOVER/gI" \
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/css/theme-aninix.css
cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
for i in `find . -type f`; do
(echo "$head"
cat "$i"
echo "$foot") > /var/lib/gitea/custom/public/"$i".html
done

32
roles/Foundation/files/custom/bin/sitemap.php Normal file
View File

@ -0,0 +1,32 @@
<?php
/*
* Build a sitemap dynamically.
* Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml`
*
* Builds according to https://www.sitemaps.org/protocol.html
*/
/* Globals */
$path="/srv/http/aninix.net/";
echo '<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
';
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | grep -E \.php\$ | grep -vE ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
foreach ($output as &$file) {
echo ' <url>
';
echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
';
echo ' <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod>
';
echo ' </url>
';
}
/* Print footer */
echo '</urlset>
';
?>

7
roles/Foundation/files/custom/options/label/AniNIX Normal file
View File

@ -0,0 +1,7 @@
#e11d21 Blocked ; There are functional or technical reasons this can't be implemented yet
#eb6420 Duplicate ; Another issue or PR already describes this issue
#bfd4f2 On-hold ; Evaluated but not enough resources to complete now
#009800 Peer-review ; Being reviewed for quality prior to merge
#207de5 RFC ; More information and feedback is needed
#fbca04 Wontfix ; Not a bug -- way it works
#9c4ac2 In-progress ; Being worked.

31
roles/Foundation/files/custom/options/license/AniNIX-WTFPL Normal file
View File

@ -0,0 +1,31 @@
# http://www.wtfpl.net/about/
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
ANINIX ADDENDUM
Trademark 2017 (https://aninix.net/)
The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
AniNIX materials may be reproduced and re-used (though you must
contact the admins of the network to get written permission to use
the AniNIX name or logo) so long as such reproduction or re-use
does not inhibit the original AniNIX use of the same.
Attribution is appreciated for other materials but not legally
required or necessary.
"AniNIX" trademark serial: 87177883
|> Logo trademark serial: 87177887

0
roles/Foundation/files/custom/public/.well-known/acme-challenge/aninix-test Executable file
View File

472
roles/Foundation/files/custom/public/css/emby-web-dark-theme-BenZuser.css Executable file
View File

@ -0,0 +1,472 @@
/* Borrowed from https://rawgit.com/BenZuser/Emby-Web-Dark-Themes-CSS/master/RED/theme.css */
/*
_________________________________________________________________________
------------------------- COLOR HEX & RGB CODES -------------------------
RED : #E81123 & (232, 17, 35)
DARK COLOR : #94131E
ORANGE : #FF8000 & (255, 128, 0)
DARK COLOR : #BF6000
ORANGE PLEX : #CC7B19 & (204, 123, 25)
DARK COLOR : #B35A00
YELLOW : #BDBD00 & (189, 189, 0)
DARK COLOR : #757500
GREEN : #52B54B & (82, 181, 75)
DARK COLOR : #3E8437
BLUE : #4285F4 & (66, 133, 244)
DARK COLOR : #0C57D6
BLUE DARK : #3367d6 & (51,103,214)
BLUE DARK (DARK) : #1f4698
PURPLE : #673AB7 & (103, 58, 183)
DARK COLOR : #3F2471
GRAY : #7F7F7F & (127, 127, 127)
DARK COLOR : #535353
PINK : #F707DF & (247, 7, 223)
DARK COLOR : #C604B3
*/
/*
_________________________________________________________________________
----------------------- EMBY THEME : ACCENT COLORS ----------------------
---------- Table of Contents ----------
1. ACCENT COLORS
1.1 Buttons
1.1.1 Checkboxes
1.1.2 Rectangles
1.1.3 Links & Text buttons
1.1.4 Others
1.2 Details
1.2.1 Circles
1.2.2 Indicators
1.2.3 Fonts
1.2.4 Icons
1.2.5 Dialogs & Action Sheets
1.2.6 Others
1.3 Fixes
2. MISCELLANEOUS MODIFICATIONS
2.1 Buttons
2.2 Details
2.2.1 Scrollbars
2.2.2 Logos
2.2.3 Others
2.3 Fixes
2.3.1 Dark Colors
*/
/* ------------------------ 1. ACCENT COLORS ------------------------- */
/* ----- 1.1 Buttons ----- */
/* 1.1.1 Checkboxes */
.emby-checkbox:checked + span + span + .checkboxOutline > .checkboxOutlineTick {
background-color: #E81123 !important; }
.emby-checkbox:checked + span + span + .checkboxOutline,
.progressring-spiner {
border-color: #E81123 !important; }
.emby-checkbox:focus + span + .emby-checkbox-focushelper {
background-color: #E81123 !important;
opacity: 0.26 !important; }
/* 1.1.2 Rectangles */
.raised {
background: #404040 !important;
color: #fff !important; }
.button-submit, .button-accent {
background: #E81123 !important;
color: #fff; }
.raised-mini.emby-button {
background: #E81123 !important;
color: #ffffff !important; }
/* Restart */
.btnRestartContainer.emby-button {
background: #E81123 !important;
color: #fff; }
/* Play & Resume */
.btnPlaySimple.emby-button {
background: #E81123 !important;
color: #fff; }
.btnResume.emby-button {
background: #94131E !important;
color: #fff; }
/* 1.1.3 Links & Text buttons */
.button-link, .button-flat-accent, .button-accent-flat,
.textlink {
color: #E81123 !important; }
.button-link:hover, .button-flat-accent:hover,
.button-accent-flat:hover, .textlink:hover {
color: #9b9b9b !important; }
.button-link:active, .button-flat-accent:active,
.button-accent-flat:active, .textlink:active {
color: #94131E !important; }
/* Top Header */
.emby-tab-button-active {
color: #E81123 !important; }
/* 1.1.4 Others */
/* Alpha Picker */
.alphaPickerButton-selected, .alphaPickerButton-tv:focus {
background-color: #E81123 !important;
color: #fff !important; }
/* Radio Buttons */
.mdl-radio__inner-circle {
background: #E81123 !important; }
.mdl-radio__button:checked + .mdl-radio__label + .mdl-radio__outer-circle {
border: 2px solid #E81123 !important; }
.mdl-radio__button:checked:focus + .mdl-radio__label + .mdl-radio__outer-circle + .mdl-radio__inner-circle {
-webkit-box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important;
box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important; }
/* Control Group Buttons */
div[data-role="controlgroup"] a.ui-btn-active[data-role='button'] {
background: #E81123 !important;
color: #ffffff !important; }
/* ----- 1.2 Details ----- */
/* 1.2.1 Circles */
/*.listItemIcon:not(.listItemIcon-transparent) {
background-color: $accent-color !important; }*/
.dashboardSection i.listItemIcon.md-icon {
background-color: #E81123 !important; }
.scheduledTaskPaperIconItem[data-status="Running"] i.listItemIcon.md-icon {
background-color: #94131E !important; }
/* Focus Helper circles */
.paper-icon-button-light:focus {
color: #E81123 !important; }
/* 1.2.2 Indicators */
.countIndicator, .playedIndicator {
background: #E81123 !important; }
.levelNormal {
background-color: #E81123 !important; }
.fullSyncIndicator {
background: #E81123 !important;
color: #fff; }
.playstatebutton-played i, .ratingbutton-withrating i {
color: #E81123 !important; }
p#pUpToDate i.md-icon {
background-color: #E81123 !important; }
/* Loading Spinners */
.mdl-spinner__layer-1, .mdl-spinner__layer-2, .mdl-spinner__layer-3,
.mdl-spinner__layer-4 {
border-color: #E81123 !important; }
.progressring-spiner {
border: 0.25em solid #E81123 !important; }
/* 1.2.3 Fonts */
.selectLabelFocused, .textareaLabelFocused, .inputLabelFocused {
color: #E81123 !important; }
.secondary.listItemBodyText span, div#divRunningTasks span {
color: #E81123 !important; }
/* 1.2.4 Icons */
.starIcon, .mediaInfoTimerIcon {
color: #E81123 !important; }
/* Top Header */
.btnActiveCast {
color: #E81123 !important; }
/* Now Playing Bar & Now Playing Page */
.repeatActive,
button.btnCommand.repeatToggleButton.autoSize.nowPlayingPageRepeatActive {
color: #E81123 !important; }
/* 1.2.5 Dialogs & Action Sheets */
/* 1.2.6 Others */
/* General Accent Color Modifications */
:focus {
outline: #E81123 auto 5px; }
select:focus {
border-color: #E81123 !important; }
::selection {
background-color: #94131E !important; }
.emby-input:focus, .emby-textarea:focus {
border-color: #E81123 !important; }
/* Google Now Playing Bar & Now Playing Page */
.iconOsdProgressInner, .mdl-slider__background-lower, .sliderBubble,
.mdl-slider::-webkit-slider-thumb {
background: #E81123 !important; }
.mdl-slider:focus::-webkit-slider-thumb {
-webkit-box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26);
box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important; }
/* Firefox Now Playing Bar & Now Playing Page */
.mdl-slider::-moz-range-thumb, .mdl-slider::-moz-range-progress {
background: #E81123 !important; }
.mdl-slider:focus::-moz-range-thumb {
box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important; }
/* Progress Bars */
.itemProgressBarForeground {
background-color: #E81123 !important; }
.taskProgressInner {
background: #E81123 !important; }
/* Google Progress Bars */
progress::-webkit-progress-value {
background: #E81123 !important; }
/* Firefox Progress Bars */
progress::-moz-progress-bar {
background: #E81123 !important; }
/* Edge Progress Bars */
progress {
background: #E81123 !important; }
/* Main Drawers */
.navMenuDivider {
background: #262626 !important; }
.adminDrawerLogo {
border-bottom: 1px solid #262626 !important; }
.mainDrawer {
background: #181818 !important; }
.sidebarHeader {
color: #bbbbbb !important; }
.navMenuOption {
color: #ffffff !important; }
.navMenuOption.navMenuOption-selected {
background: #252528 !important;
color: #E81123 !important; }
.navMenuOption:hover {
background: #252528 !important;
color: #9b9b9b !important; }
/* Metadata Editor */
div.jstree-wholerow.jstree-wholerow-clicked:hover,
div.jstree-wholerow.jstree-wholerow-clicked,
div.jstree-wholerow.jstree-wholerow-hovered {
background: #252528 !important; }
.jstree-anchor.jstree-clicked,
.jstree-anchor.jstree-clicked.jstree-hovered {
background: #252528 !important;
color: #E81123 !important; }
/* Multi-select */
.itemSelectionPanel {
border: 1px solid #E81123 !important; }
.selectionCommandsPanel {
background: #E81123 !important;
color: #fff; }
/* upNextDialog */
.upNextDialog-countdownText {
color: #E81123 !important; }
/* Selection Bars */
.emby-select-selectionbar, .emby-textarea-selectionbar,
.emby-input-selectionbar {
background-color: #E81123 !important; }
/* Media Info Detail Image */
.itemDetailImage.loaded:hover {
border: 1px solid #E81123 !important; }
/* 1.3 Fixes */
/* ------------------ 2. MISCELLANEOUS MODIFICATIONS ----------------- */
/* ----- 2.1 Buttons ----- */
/* Circles */
.fab {
background-color: transparent !important;
-webkit-box-shadow: none !important;
box-shadow: none !important;
-webkit-transition: none !important;
-o-transition: none !important;
transition: none !important; }
/* ----- 2.2 Details ----- */
/* 2.2.1 Scrollbars */
/* Google Chrome */
::-webkit-scrollbar-corner {
background-color: #3B3B3B; }
::-webkit-scrollbar {
width: 10px;
height: 10px;
background-color: #3B3B3B; }
::-webkit-scrollbar-thumb {
-webkit-border-radius: 2px;
border-radius: 2px;
background: #888888; }
/* Google Chrome - Dashboard Drawer */
div.scrollContainer.smoothScrollY::-webkit-scrollbar-corner {
background-color: transparent !important; }
div.scrollContainer.smoothScrollY::-webkit-scrollbar {
width: 2px;
height: 2px;
background-color: transparent !important; }
div.scrollContainer.smoothScrollY::-webkit-scrollbar-thumb {
-webkit-border-radius: 2px;
border-radius: 2px;
background: #888888; }
/* Google Chrome - Filter Dialog */
.dynamicFilterDialog::-webkit-scrollbar-corner {
background-color: transparent !important; }
.dynamicFilterDialog::-webkit-scrollbar {
width: 2px;
height: 2px;
background-color: transparent !important; }
.dynamicFilterDialog::-webkit-scrollbar-thumb {
-webkit-border-radius: 2px;
border-radius: 2px;
background: #888888; }
/* 2.2.2 Logos */
/* Login Page */
.imgLogoIcon {
content: url(https://cdn.rawgit.com/BenZuser/Emby-Dark-Themes-Resources/master/images/logos-and-icons/RED/logo.png) !important; }
/* Main Drawer Mobile */
.adminDrawerLogo img {
content: url(https://cdn.rawgit.com/BenZuser/Emby-Dark-Themes-Resources/master/images/logos-and-icons/RED/logo.png) !important; }
/* Home Page */
.pageTitleWithLogo {
background-image: url(https://cdn.rawgit.com/BenZuser/Emby-Dark-Themes-Resources/master/images/logos-and-icons/RED/logo.png) !important; }
/* 2.2.3 Others */
/* CSS Box */
#txtCustomCss {
height: 300px !important;
overflow-y: scroll !important; }
/* Select Box */
select option {
background-color: #2b2b2b !important;
color: #ffffff !important; }
/* Dialogs */
.formDialogHeader:not(.formDialogHeader-clear),
.formDialogFooter:not(.formDialogFooter-clear) {
background-color: #121212 !important;
color: #fff; }
/* Headers */
.skinHeader {
background-color: #080808 !important;
color: #fff !important; }
.skinHeader-withBackground {
background-color: #080808 !important; }
@supports (backdrop-filter: blur(1.5em)) or (-webkit-backdrop-filter: blur(1.5em)) {
.skinHeader-blurred {
background: rgba(20, 20, 20, 0.7) !important;
-webkit-backdrop-filter: blur(1.5em) !important;
backdrop-filter: blur(1.5em) !important; } }
.skinHeader.semiTransparent {
-webkit-backdrop-filter: none !important;
backdrop-filter: none !important;
background-color: rgba(0, 0, 0, 0.4) !important;
background-image: -webkit-gradient(linear, left top, left bottom, color-stop(10%, rgba(0, 0, 0, 0.7)), color-stop(10%, transparent)) !important;
background-image: -webkit-linear-gradient(top, rgba(0, 0, 0, 0.7) 10%, transparent) !important;
background-image: -moz-linear-gradient(top, rgba(0, 0, 0, 0.7) 10%, transparent) !important;
background-image: -o-linear-gradient(top, rgba(0, 0, 0, 0.7) 10%, transparent) !important;
background-image: linear-gradient(to bottom, rgba(0, 0, 0, 0.7) 10%, transparent) !important; }
.appfooter {
background: #080808 !important;
color: #fff !important; }
@supports (backdrop-filter: blur(10px)) or (-webkit-backdrop-filter: blur(10px)) {
.appfooter-blurred {
background: rgba(24, 24, 24, 0.7) !important;
-webkit-backdrop-filter: blur(20px) !important;
backdrop-filter: blur(20px) !important; } }
/* TV Global Modifications */
.emby-tab-button-active.emby-button-tv {
color: #fff !important; }
.guide-channelHeaderCell, .guide-channelTimeslotHeader {
background: #2e2e2e !important; }
.guide-programTextIcon {
color: #1e1e1e !important;
background: #555 !important; }
.guide-headerTimeslots {
color: #ccc !important; }
/* ----- 2.3 Fixes ----- */
/* 2.3.1 Dark Colors */
.autoorganizetable tbody tr:nth-child(odd) td, .autoorganizetable tbody tr:nth-child(odd) th {
background-color: #222326 !important; }
.autoorganizetable > .table > tbody > tr {
border: 1px solid #222326 !important; }
/*
_____________________________________________________________________
Emby Dark Themes is maintained by Ben Z (BenZuser)
with the contribution of Happy2Play.
_____________________________________________________________________
*/
/* TEMPORARY FIXES */
/* Links */
.searchSuggestionsList a, .noItemsMessage a, a.lnkPremiere {
color: #E81123 !important; }
.searchSuggestionsList a:hover, .noItemsMessage a:hover,
a.lnkPremiere:hover {
color: #9b9b9b !important; }
.searchSuggestionsList a:active, .noItemsMessage a:active,
a.lnkPremiere:active {
color: #94131E !important; }

16
roles/Foundation/files/custom/public/css/theme-aninix.css Executable file
View File

File diff suppressed because one or more lines are too long

55
roles/Foundation/files/custom/public/sitemap.xml Executable file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://aninix.net/martialarts/index.html</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://foundation.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://foundation.aninix.net/explore/repos</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://foundation.aninix.net/AniNIX/Wiki</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://irc.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://password.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://maat.aninix.net/index.html</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://singularity.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://wolfpack.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://yggdrasil.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://sharingan.aninix.net</loc>
<lastmod>2020-09-20</lastmod>
</url>
<!-- Unlisted:
lykos.aninix.net
adhan.aninix.net
-->
</urlset>

271
roles/Foundation/files/custom/public/thank-you.html Executable file
View File

@ -0,0 +1,271 @@
<!DOCTYPE html>
<html lang="en-US" class="theme-">
<head data-suburl="">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<title> AniNIX </title>
<link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
<meta name="theme-color" content="#ff0000">
<meta name="author" content="AniNIX::Foundation" />
<meta name="description" content="AniNIX::Foundation \\ Code, documentation, and information sharing powered by Gitea (git with a cup of tea)" />
<meta name="keywords" content="go,git,self-hosted,gitea,aninix,aninix::foundation">
<meta name="referrer" content="no-referrer" />
<meta name="_csrf" content="iI1Kkrppem-yCnHGCll-UshSK6A6MTYwMDcwNjM3MTUxOTU5NzYxNg" />
<script>
/*
@licstart The following is the entire license notice for the
JavaScript code in this page.
Copyright (c) 2016 The Gitea Authors
Copyright (c) 2015 The Gogs Authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
---
Licensing information for additional javascript libraries can be found at:
{{StaticUrlPrefix}}/vendor/librejs.html
@licend The above is the entire license notice
for the JavaScript code in this page.
*/
</script>
<script>
window.config = {
AppVer: '1.12.4',
AppSubUrl: '',
StaticUrlPrefix: '',
UseServiceWorker: true ,
csrf: 'iI1Kkrppem-yCnHGCll-UshSK6A6MTYwMDcwNjM3MTUxOTU5NzYxNg',
HighlightJS: false,
Minicolors: false,
SimpleMDE: false,
Tribute: false,
U2F: false,
Heatmap: false,
heatmapUser: null,
NotificationSettings: {
MinTimeout: 10000 ,
TimeoutStep: 10000 ,
MaxTimeout: 60000 ,
EventSourceUpdateTime: 10000 ,
},
};
</script>
<link rel="shortcut icon" href="/img/favicon.png">
<link rel="mask-icon" href="/img/gitea-safari.svg" color="#609926">
<link rel="fluid-icon" href="/img/gitea-lg.png" title="AniNIX">
<link rel="stylesheet" href="/vendor/assets/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="/fomantic/semantic.min.css?v=d8d448774563cec3783c3b65d4e914b6">
<link rel="stylesheet" href="/css/index.css?v=d8d448774563cec3783c3b65d4e914b6">
<noscript>
<style>
.dropdown:hover > .menu { display: block; }
.ui.secondary.menu .dropdown.item > .menu { margin-top: 0; }
</style>
</noscript>
<style class="list-search-style"></style>
<meta property="og:title" content="AniNIX">
<meta property="og:type" content="website" />
<meta property="og:image" content="/img/gitea-lg.png" />
<meta property="og:url" content="https://foundation.aninix.net/" />
<meta property="og:description" content="AniNIX::Foundation \\ Code, documentation, and information sharing powered by Gitea (git with a cup of tea)">
<meta property="og:site_name" content="AniNIX" />
<link rel="stylesheet" href="/css/theme-aninix.css?v=d8d448774563cec3783c3b65d4e914b6">
<link rel="icon" type="image/png" href="/img/AniNIX.png" />
<link rel="alternate" type="application/rss+xml" title="AniNIX::RSS" href="/aninix.xml" />
<link rel='apple-touch-icon' sizes='180x180' href='/img/AniNIX.png' />
<meta name='apple-mobile-web-app-capable' content='yes' />
</head>
<body>
<div class="full height">
<noscript>This website works better with JavaScript.</noscript>
<div class="ui top secondary stackable main menu following bar light">
<div class="ui container" id="navbar">
<div class="item brand" style="justify-content: space-between;">
<a href="/">
<img class="ui mini image" src="/img/gitea-sm.png">
</a>
<div class="ui basic icon button mobile-only" id="navbar-expand-toggle">
<i class="sidebar icon"></i>
</div>
</div>
<a class="item active" href="/">Home</a>
<a class="item " href="/explore/repos">Explore</a>
<a class="item" target="_blank" id="chat" href="https://irc.aninix.net/">Chat</a>
<a class="item" target="_blank" id="pwdchange" href="https://password.aninix.net/">Change Password</a>
<a class="item" id="martialarts" href="/martialarts/">Martial Arts</a>
<a class="item" target="_blank" rel="noopener noreferrer" href="https://docs.gitea.io">Help</a>
<div class="right stackable menu">
<a class="item" href="/user/sign_up">
<svg class="svg octicon-person" width="16" height="16" aria-hidden="true"><use xlink:href="#octicon-person" /></svg> Register
</a>
<a class="item" rel="nofollow" href="/user/login?redirect_to=">
<svg class="svg octicon-sign-in" width="16" height="16" aria-hidden="true"><use xlink:href="#octicon-sign-in" /></svg> Sign In
</a>
</div>
</div>
</div>
<div class="home">
<h2>Thank you for your purchase!</h2>
<footer>
<div class="ui container">
<div class="ui left">
Powered by Gitea Page: <strong>0ms</strong> Template: <strong>0ms</strong>
</div>
<div class="ui right links">
<div class="ui language bottom floating slide up dropdown link item">
<i class="world icon"></i>
<div class="text">English</div>
<div class="menu">
<a lang="en-US" class="item active selected" href="#">English</a>
<a lang="zh-CN" class="item " href="?lang=zh-CN">简体中文</a>
<a lang="zh-HK" class="item " href="?lang=zh-HK">繁體中文(香港)</a>
<a lang="zh-TW" class="item " href="?lang=zh-TW">繁體中文(台灣)</a>
<a lang="de-DE" class="item " href="?lang=de-DE">Deutsch</a>
<a lang="fr-FR" class="item " href="?lang=fr-FR">français</a>
<a lang="nl-NL" class="item " href="?lang=nl-NL">Nederlands</a>
<a lang="lv-LV" class="item " href="?lang=lv-LV">latviešu</a>
<a lang="ru-RU" class="item " href="?lang=ru-RU">русский</a>
<a lang="uk-UA" class="item " href="?lang=uk-UA">Українська</a>
<a lang="ja-JP" class="item " href="?lang=ja-JP">日本語</a>
<a lang="es-ES" class="item " href="?lang=es-ES">español</a>
<a lang="pt-BR" class="item " href="?lang=pt-BR">português do Brasil</a>
<a lang="pl-PL" class="item " href="?lang=pl-PL">polski</a>
<a lang="bg-BG" class="item " href="?lang=bg-BG">български</a>
<a lang="it-IT" class="item " href="?lang=it-IT">italiano</a>
<a lang="fi-FI" class="item " href="?lang=fi-FI">suomi</a>
<a lang="tr-TR" class="item " href="?lang=tr-TR">Türkçe</a>
<a lang="cs-CZ" class="item " href="?lang=cs-CZ">čeština</a>
<a lang="sr-SP" class="item " href="?lang=sr-SP">српски</a>
<a lang="sv-SE" class="item " href="?lang=sv-SE">svenska</a>
<a lang="ko-KR" class="item " href="?lang=ko-KR">한국어</a>
</div>
</div>
<a href="/vendor/librejs.html" data-jslicense="1">JavaScript licenses</a>
<a href="/api/swagger">API</a>
<a target="_blank" rel="noopener noreferrer" href="https://gitea.io">Website</a>
</div>
</div>
</footer>
<script src="/js/jquery.js?v=d8d448774563cec3783c3b65d4e914b6"></script>
<script src="/fomantic/semantic.min.js?v=d8d448774563cec3783c3b65d4e914b6"></script>
<script src="/js/index.js?v=d8d448774563cec3783c3b65d4e914b6"></script>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-18148792-3']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<script src="https://redalert.battleforthenet.com/widget.js" async></script>
<script type="text/javascript">
document.getElementsByClassName('brand')[0].children[0].children[0].src="/img/AniNIX.png";
$('meta[property=og\\:image]').attr('content', '/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('href', '/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('color', '#000000');
document.getElementsById("pwdchange").setAttribute("target","_blank");
document.getElementsById("chat").setAttribute("target","_blank");
</script>
</body>
</html>

9
roles/Foundation/files/custom/robots.txt Normal file
View File

@ -0,0 +1,9 @@
User-agent: *
Allow: /$
Allow: /issues
Allow: /pulls
Allow: /explore
Allow: /AniNIX/
Allow: /martialarts/
Allow: /sitemap.xml
Disallow: /

47
roles/Foundation/files/custom/sitemap.php Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://aninix.net/index.php</loc>
<lastmod>2019-10-24</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/legal.php</loc>
<lastmod>2018-01-24</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/wiki.php</loc>
<lastmod>2017-05-09</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/martialarts.php</loc>
<lastmod>2018-09-18</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/qr.php</loc>
<lastmod>2016-11-01</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/social.php</loc>
<lastmod>2019-10-04</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/webapps.php</loc>
<lastmod>2018-10-11</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/downloads.php</loc>
<lastmod>2018-04-06</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/charity.php</loc>
<lastmod>2018-04-06</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/chatroom.php</loc>
<lastmod>2017-05-09</lastmod>
</url>
<url>
<loc>https://aninix.net/martialarts/index.php</loc>
<lastmod>2019-08-26</lastmod>
</url>
</urlset>

3
roles/Foundation/files/custom/templates/custom/extra_links.tmpl Normal file
View File

@ -0,0 +1,3 @@
<a class="item" target="_blank" id="chat" href="https://irc.aninix.net/">Chat</a>
<a class="item" target="_blank" id="pwdchange" href="https://password.aninix.net/">Change Password</a>
<a class="item" id="martialarts" href="{{AppSubUrl}}/martialarts/">Martial Arts</a>

24
roles/Foundation/files/custom/templates/custom/footer.tmpl Normal file
View File

@ -0,0 +1,24 @@
<!-- Google Analytics -->
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-18148792-3']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<!-- Replace Gitea icon with AniNIX -->
<script type="text/javascript">
document.getElementById('navbar').children[0].children[0].children[0].src="/assets/img/AniNIX.png";
$('meta[property=og\\:image]').attr('content', '/assets/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('href', '/assets/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('color', '#000000');
document.getElementById("pwdchange").setAttribute("target","_blank");
document.getElementById("chat").setAttribute("target","_blank");
</script>

4
roles/Foundation/files/custom/templates/custom/header.tmpl Normal file
View File

@ -0,0 +1,4 @@
<link rel="icon" type="image/png" href="/assets/img/AniNIX.png" />
<link rel="alternate" type="application/rss+xml" title="AniNIX/RSS" href="/aninix.xml" />
<link rel='apple-touch-icon' sizes='180x180' href='/assets/img/AniNIX.png' />
<meta name='apple-mobile-web-app-capable' content='yes' />

88
roles/Foundation/files/custom/templates/home.tmpl Normal file
View File

@ -0,0 +1,88 @@
{{template "base/head" .}}
<!-- BEGIN CUSTOM HOME -->
<div class="home">
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="{{AppSubUrl}}/assets/img/avatar_default.png" />
</div>
<div class="hero">
<h1 class="ui icon header title">
AniNIX
</h1>
<h2>Welcome to the network</h2>
</div>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<a href="https://foundation.aninix.net/explore/repos">Open source security</a>
</h1>
<p class="large">
The AniNIX's primary goal is to ensure everyone has access to the knowledge they need to build a low-cost, secure platform. We make all our source-code accessible and open-source.
</p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/IRCIcon.png'/>
<a href='ircs://aninix.net:6697/#lobby'>Contact us anytime</a>
</h1>
<p class="large">
We run an open IRC network -- we'd love to connect with you there. Not familiar with IRC? No worries -- we have a <a href="https://irc.aninix.net/" target=_blank alt="AniNIX/IRC (Web)" id="webchat">webchat</a> available.
</p> </div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src="/assets/img/icons/WikiIcon.png"/>
<a href="/AniNIX/Wiki">Open documentation</a>
</h1>
<p class="large">
We maintain a Wiki to document how and why we do what we do. Hopefully, it can both help others to learn more about computing and spark discussion with the community at large.
</p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20x src="/assets/img/icons/MaatIcon.png"/>
<a href="https://maat.aninix.net/">Downloads</a>
</h1>
<p class="large">
We offer downloads from our AniNIX::Maat continuous-deployment system, including static files and packages for <a href="https://archlinux.org/">ArchLinux-style distributions.</a>
</p>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2>Webapps</h2>
<p>We host a number of web apps to make our users' lives easier.
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="four wide center column"><a title="AniNIX/Singularity" href="https://singularity.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/icons/SingularityIcon.png" /><p>AniNIX/Singularity (News powered by TT-RSS)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Yggdrasil" href="https://yggdrasil.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/icons/YggdrasilIcon.png" /><p>AniNIX/Yggdrasil (Media powered by Emby)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Sharingan" href="https://sharingan.aninix.net"><img src="/assets/img/icons/SharinganIcon.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Sharingan (Monitoring powered by Nagios)</p></a></div>
<div class="four wide center column"><a title="AniNIX/WolfPack" href="https://wolfpack.aninix.net"><img src="/assets/img/icons/WolfPackIcon.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/WolfPack (Botnet download results)</p></a></div>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2>Follow us on social media</h2>
<p>We want to stay in touch with you, so we are present on the social media platforms we find applicable.<br/> Have one you want us on? Contact us and let us know!</p>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="two wide center column"><!--placeholder--><p>&nbsp;</p></div>
<div class="two wide center column"><a title=AniNIX/RSS href="/assets/aninix.xml"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/social/rss.png" /></a></div>
<div class="two wide center column"><a title=Discord href="https://discord.gg/2bmggfR"><img alt=Discord style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/discord.ico" /></a></div>
<div class="two wide center column"><a title=GitHub href="https://github.com/AniNIX"><img alt=GitHub src="/assets/img/social/github.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=YouTube href="https://www.youtube.com/channel/UCe-WNM2mbI51xoVZp3K_wFQ"><img src="/assets/img/social/youtube.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=LinkedIn href="https://www.linkedin.com/groups/13577720"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/linkedin.png" /></a></div>
<div class="two wide center column"><a title=Facebook href="https://facebook.com/aninixnetwork"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/facebook.png" /></a></div>
<div class="two wide center column"><!--placeholder--><p>&nbsp;</p></div>
</div>
</div>
</div>
<!-- END CUSTOM HOME -->
{{template "base/footer" .}}

51
roles/Foundation/files/foundation.service Normal file
View File

@ -0,0 +1,51 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=mysqld.service
After=postgresql.service
After=memcached.service
After=redis.service
[Service]
User=gitea
Group=gitea
Type=simple
WorkingDirectory=~
RuntimeDirectory=gitea
LogsDirectory=gitea
StateDirectory=gitea
Environment=USER=gitea HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea GITEA_CUSTOM=/var/lib/gitea/custom/
ExecStart=/usr/bin/gitea web -c /var/lib/gitea/custom/conf/app.ini --custom-path=/var/lib/gitea/custom/
Restart=always
RestartSec=2s
ReadWritePaths=/var/lib/gitea/custom/conf/app.ini
AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
#Required by commit search
#MemoryDenyWriteExecute=true
NoNewPrivileges=True
#SecureBits=noroot-locked
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target

10
roles/Foundation/files/gitea.hook Normal file
View File

@ -0,0 +1,10 @@
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = gitea
[Action]
Description = Updating Gitea Custom Pages
When = PostTransaction
Exec = /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom

10
roles/Foundation/files/hooks/gitea.hook Normal file
View File

@ -0,0 +1,10 @@
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = gitea
[Action]
Description = Updating Gitea Custom Pages
When = PostTransaction
Exec = /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom

82
roles/Foundation/files/web-snippets/martialarts/index Normal file
View File

@ -0,0 +1,82 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<!--<div class="ui negative message"><p>We are open despite COVID-19 -- those attending in person will need to sign a waiver of health and follow all state requirements, including wearing a mask.</p></div>-->
<div>
<img class="logo" src="/assets/img/icons/MartialArtsIcon.png" />
</div>
<div class="hero">
<h1 class="ui icon header title">
AniNIX Martial Arts
</h1>
<h2>Open-source, research-driven self-defense and personal health</h2>
<p>AniNIX Martial Arts is a small martial arts collective focusing on research-driven martial arts. Our core style is USHF HapKiDo, but we are influenced by HEMA, Razmafzar, Kali, Shaolin, Silat, JKD, BJJ, and many other systems. We are a research-driven group -- we encourage cross-training with other systems and will bring in new concepts regularly. The class is open to all experience levels, gender identity, gender expression, sexual orientation, religious or cultural identity, socioecomic status, or age (above 14), in Southcentral Wisconsin -- we will fit your training to your needs and goals.</p><p>Drop-ins are welcome, and registration is cheap. We hope you'll give us a chance to show you what we can do.</p>
</div>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<a href="/mawiki">Open-source</a>
</h1>
<p class="large">
We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
</p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/ushf.jpg'/>
<a href='https://ushapkidofederation.wordpress.com/'>Research-driven</a>
</h1>
<p class="large">
Our system is always growing. We are a United States HapKiDo Federation (USHF) school, and that gives us access to high-quality instructors and seminar material each year from across the US. We also maintain good relationships with other schools in our area -- we want our students to examine what they're learing and make sure that it works, and that means looking at different perspectives.
</p> </div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src="/assets/img/icons/MartialArtsIcon.png"/>
<a href="/martialarts/index.html#storefront">Low-cost</a>
</h1>
<p class="large">We are non-profit group -- we train because we feel like it makes life better, not to make money. As such, our costs are publicly documented and our rates match the same. Classes will be informed of potential changes to costs well in advance, and we use recurring payments. We want you thinking about your training, not how you're going to pay for it.</p>
<p class="large">
<ul style="text-align: left;">
<li><b>Cost:</b> $10 per month in-person; $5 per month livestream -- pay below.</li>
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
<li><b>Location:</b> <a href="https://g.page/aninix-martial-arts?share">225 Blaser Drive, Belleville, WI</a></li>
<li><b>What to bring:</b> Exercise clothes and water</li>
</ul></p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20x src="/assets/img/icons/IRCIcon.png"/>
<a href="/martialarts/index.html#social">Real-life First</a>
</h1>
<p class="large">
Everyone is welcome! Class attendance is not mandated and belt-testing is not required to train. As a courtesy, please inform the class of your absence or intended late arrival -- real-life comes first, and we're happy to work with your needs. As long as one person shows, we'll have class -- the smaller the class, the more tailored it is, but the bigger classes mean more partners and body types.</p>
<p class="large">
Our focus is also on what you will actually use. While we appreciate traditional and esoteric training for self-development, our weekly classes are focused on modern techniques and training methods so that you get the most out of your time. Our goal is to help create a community of prepared and healthy citizens, and we believe martial arts helps build that in a way no other activity can.
</p>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="ui stackable middle very relaxed page grid" id="social">
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2 id=social>Follow us on social media</h2>
<p class=large>We want to stay in touch with you, so we are present on the social media platforms we find applicable.<br/> Have one you want us on? Contact us and let us know!</p>
</div>
<div class="ui stackable middle very relaxed page grid" id="social">
<div class="two wide center column"><p>&nbsp;</p></div>
<div class="two wide center column"><a title=RSS href="/martialarts/maqotw.xml"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/social/rss.png" /></a></div>
<div class="two wide center column"><a title=Discord href="https://discord.gg/2bmggfR"><img alt=Discord style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/discord.ico" /></a></div>
<div class="two wide center column"><a title=NextDoor href="https://nextdoor.com/news_feed/?post=112835813"><img alt=NextDoor src="/assets/img/social/nextdoor.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=YouTube href="https://www.youtube.com/channel/UCVAkee-WaInnZbPn16bqzrw/about?view_as=subscriber"><img src="/assets/img/social/youtube.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=Strava href="https://www.strava.com/clubs/aninixmartialarts"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/strava.png" /></a></div>
<div class="two wide center column"><a title=Facebook href="https://www.facebook.com/groups/aninixmartialarts/"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/facebook.png" /></a></div>
<div class="two wide center column"><p>&nbsp;</p></div>
</div>
</div>
</div>

107
roles/Foundation/files/web-snippets/pay/index Normal file
View File

@ -0,0 +1,107 @@
<div class="ui stackable middle very relaxed page grid">
<script src="https://js.stripe.com/v3"></script>
<div class="sixteen wide center aligned centered column">
<h1 class="ui icon header title">
AniNIX
</h1>
<h2>Our Storefront</h2>
<p>We have limited service offerings available. Please contact an admin on IRC first to arrange the contract, then use the item below to pay the invoice.</p>
</div>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
Cybersecurity Consulting
</h1>
<p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
<p class="large">
<form action="./storefront.html" id="hours">
<label for="hourcount">Hours required</label>
<select name="hourcount" id="hourscount">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6">6</option>
<option value="7">7</option>
<option value="8">8</option>
<option value="9">9</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
</select>
<br/>
</form>
<!-- START STRIPE CODE -->
<!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
<button
style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
id="checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E"
role="link"
type="button"
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect
// them to Checkout.
stripe.redirectToCheckout({
lineItems: [{price: 'price_1HTuehI49P1uFPoXCW9pJg5E', quantity: parseInt(document.getElementById('hourscount').value)}],
mode: 'payment',
// Do not rely on the redirect to the successUrl for fulfilling
// purchases, customers may not always reach the success_url after
// a successful payment.
// Instead use one of the strategies described in
// https://stripe.com/docs/payments/checkout/fulfill-orders
successUrl: window.location.protocol + '//aninix.net/pay/thank-you.html',
cancelUrl: window.location.protocol + '//aninix.net/pay/storefront.html',
})
.then(function (result) {
if (result.error) {
// If `redirectToCheckout` fails due to a browser or network
// error, display the localized error message to your customer.
var displayError = document.getElementById('error-message');
displayError.textContent = result.error.message;
}
});
});
})();
</script>
<! -- END STRIPE CODE -->
</p>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<hr style="margin-top: 50px;" />
<h2>Donate</h2>
<p>If you like what we do, you can also donate on one of these platforms:</p>
<ul style="width:500px;text-align: left;margin:auto;">
<li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
<li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
<li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
<li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
</ul>
</div>
</div>

12
roles/Foundation/files/web-snippets/pay/thank-you Normal file
View File

@ -0,0 +1,12 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="/assets/img/icons/CoreIcon.png" />
</div>
<div class="hero">
<h2 class="ui icon header title">
Thank you for your purchase!
</h2>
</div>
</div>
</div>

96
roles/Foundation/tasks/main.yml Normal file
View File

@ -0,0 +1,96 @@
---
- name: Base packages
become: yes
package:
name:
- gitea
- name: BitBot
become: yes
git:
repo: https://github.com/jesopo/bitbot.git
dest: /opt/bitbot
- name: Make directories
become: yes
file:
path: "/var/lib/gitea/{{ item }}"
owner: gitea
group: gitea
mode: 0750
loop:
- "custom/bin"
- "web-snippets"
- name: Populate config
become: yes
register: config
template:
src: app.ini.j2
dest: /var/lib/gitea/custom/conf/app.ini
owner: gitea
group: gitea
mode: 0750
- name: Copy web-snippets
become: yes
copy:
src: web-snippets/
dest: /var/lib/gitea/web-snippets
owner: gitea
group: gitea
mode: 0640
- name: Copy scripts
become: yes
copy:
src: custom/
dest: /var/lib/gitea/custom/
owner: gitea
group: gitea
- name: Publish AniNIX/Yggdrasil CSS
become: yes
get_url:
url: https://github.com/BenZuser/Emby-Web-Dark-Themes-CSS/raw/master/RED/theme.css
dest: /var/lib/gitea/custom/public/css/emby-web-dark-theme-BenZuser.css
owner: gitea
group: gitea
- name: Copy hook
become: yes
copy:
src: gitea.hook
dest: /etc/pacman.d/hooks/gitea.hook
owner: gitea
group: gitea
- name: Service file
become: yes
register: servicefile
copy:
src: foundation.service
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0755
- name: Ensure default service disabled
become: yes
service:
name: gitea
state: stopped
enabled: no
- name: Generate pages
become: yes
register: custompages
command: /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom
- name: Restart service
become: yes
when: config.changed or servicefile.changed or custompages.changed
service:
name: foundation
state: restarted
enabled: yes

744
roles/Foundation/templates/app.ini.j2 Normal file
View File

@ -0,0 +1,744 @@
; This file lists the default values used by Gitea
; Copy required sections to your own app.ini (default is custom/conf/app.ini)
; and modify as needed.
; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.
; App name that shows in every page title
APP_NAME = AniNIX
; Change it if you run locally
RUN_USER = gitea
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
[repository]
ROOT = repos
SCRIPT_TYPE = bash
; Default ANSI charset
ANSI_CHARSET =
; Force every new repository to be private
FORCE_PRIVATE = false
; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
DEFAULT_PRIVATE = last
; Global limit of repositories per user, applied at creation time. -1 means no limit
MAX_CREATION_LIMIT = -1
; Preferred Licenses to place at the top of the List
; The name here must match the filename in conf/license or custom/conf/license
PREFERRED_LICENSES = AniNIX-WTFPL
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = false
; Value for Access-Control-Allow-Origin header, default is not to present
; WARNING: This maybe harmful to you website if you do not give it a right value.
ACCESS_CONTROL_ALLOW_ORIGIN =
; Force ssh:// clone url instead of scp-style uri when default SSH port is used
USE_COMPAT_SSH_URI = false
; Close issues as long as a commit on any branch marks it as fixed
DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false
[repository.editor]
; List of file extensions for which lines should be wrapped in the CodeMirror editor
; Separate extensions with a comma. To line wrap files without an extension, just put a comma
LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd,
; Valid file modes that have a preview API associated with them, such as api/v1/markdown
; Separate the values by commas. The preview tab in edit mode won't be displayed if the file extension doesn't match
PREVIEWABLE_FILE_MODES = markdown
[repository.local]
; Path for local repository copy. Defaults to `tmp/local-repo`
LOCAL_COPY_PATH = tmp/local-repo
; Path for local wiki copy. Defaults to `tmp/local-wiki`
LOCAL_WIKI_PATH = tmp/local-wiki
[repository.upload]
; Whether repository file uploads are enabled. Defaults to `true`
ENABLED = true
; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
TEMP_PATH = data/tmp/uploads
; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
ALLOWED_TYPES =
; Max size of each file in megabytes. Defaults to 3MB
FILE_MAX_SIZE = 3
; Max number of files per upload. Defaults to 5
MAX_FILES = 5
[repository.pull-request]
; List of prefixes used in Pull Request title to mark them as Work In Progress
WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP]
[repository.issue]
; List of reasons why a Pull Request or Issue can be locked
LOCK_REASONS = Too heated,Off-topic,Resolved,Spam
[cors]
; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers
; enable cors headers (disabled by default)
ENABLED = false
; scheme of allowed requests
SCHEME = http
; list of requesting domains that are allowed
ALLOW_DOMAIN = *
; allow subdomains of headers listed above to request
ALLOW_SUBDOMAIN = false
; list of methods allowed to request
METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
; max time to cache response
MAX_AGE = 10m
; allow request with credentials
ALLOW_CREDENTIALS = false
[ui]
; Number of repositories that are displayed on one explore page
EXPLORE_PAGING_NUM = 20
; Number of issues that are displayed on one page
ISSUE_PAGING_NUM = 10
; Number of maximum commits displayed in one activity feed
FEED_MAX_COMMIT_NUM = 5
; Number of maximum commits displayed in commit graph.
GRAPH_MAX_COMMIT_NUM = 100
; Number of line of codes shown for a code comment
CODE_COMMENT_LINES = 4
; Value of `theme-color` meta tag, used by Android >= 5.0
; An invalid color like "none" or "disable" will have the default style
; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
THEME_COLOR_META_TAG = `#ff0000`
; Max size of files to be displayed (default is 8MiB)
MAX_DISPLAY_FILE_SIZE = 8388608
; Whether the email of the user should be shown in the Explore Users page
SHOW_USER_EMAIL = true
; Set the default theme for the Gitea install
DEFAULT_THEME = aninix
; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`.
THEMES = gitea,arc-green,aninix
; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
DEFAULT_SHOW_FULL_NAME = false
[ui.admin]
; Number of users that are displayed on one page
USER_PAGING_NUM = 50
; Number of repos that are displayed on one page
REPO_PAGING_NUM = 50
; Number of notices that are displayed on one page
NOTICE_PAGING_NUM = 25
; Number of organizations that are displayed on one page
ORG_PAGING_NUM = 50
[ui.user]
; Number of repos that are displayed on one page
REPO_PAGING_NUM = 15
[ui.meta]
AUTHOR = AniNIX::Foundation
DESCRIPTION = AniNIX::Foundation \\ Code, documentation, and information sharing powered by Gitea (git with a cup of tea)
KEYWORDS = go,git,self-hosted,gitea,aninix,aninix::foundation
[markdown]
; Enable hard line break extension
ENABLE_HARD_LINE_BREAK = false
; List of custom URL-Schemes that are allowed as links when rendering Markdown
; for example git,magnet
CUSTOM_URL_SCHEMES =
; List of file extensions that should be rendered/edited as Markdown
; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
[server]
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
PROTOCOL = http
DOMAIN = {{ external_domain }}
ROOT_URL = https://{{ external_domain }}/
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = 0.0.0.0
HTTP_PORT = 3000
; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server
; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main
; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for
; PORT_TO_REDIRECT.
REDIRECT_OTHER_PORT = false
PORT_TO_REDIRECT = 3000
; Permission for unix socket
UNIX_SOCKET_PERMISSION = 660
; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
; In most cases you do not need to change the default value.
; Alter it only if your SSH server node is not the same as HTTP node.
; Do not set this variable if PROTOCOL is set to 'unix'.
LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
; Disable SSH feature when not available
DISABLE_SSH = false
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = false
; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
BUILTIN_SSH_SERVER_USER =
; Domain name to be exposed in clone URL
SSH_DOMAIN = foundation.aninix.net
; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST =
; Port number to be exposed in clone URL
SSH_PORT = 22
; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH =
; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
SSH_CREATE_AUTHORIZED_KEYS_FILE = true
; For the built-in SSH server, choose the ciphers to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org
; For the built-in SSH server, choose the MACs to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
; Directory to create temporary files in when testing public keys using ssh-keygen,
; default is the system temporary directory.
SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
SSH_KEYGEN_PATH = ssh-keygen
; Enable SSH Authorized Key Backup when rewriting all keys, default is true
SSH_BACKUP_AUTHORIZED_KEYS = true
; Enable exposure of SSH clone URL to anonymous visitors, default is false
SSH_EXPOSE_ANONYMOUS = false
; Indicate whether to check minimum key size with corresponding type
MINIMUM_KEY_SIZE_CHECK = false
; Disable CDN even in "prod" mode
OFFLINE_MODE = true
DISABLE_ROUTER_LOG = false
; Generate steps:
; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
;
; Or from a .pfx file exported from the Windows certificate store (do
; not forget to export the private key):
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
CERT_FILE = custom/https/cert.pem
KEY_FILE = custom/https/key.pem
; Root directory containing templates and static files.
; default is the path where Gitea is executed
STATIC_ROOT_PATH = /usr/share/gitea
; Default path for App data
APP_DATA_PATH = data
; Application level GZIP support
ENABLE_GZIP = false
; Application profiling (memory and cpu)
; For "web" command it listens on localhost:6060
; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)_<username>_<temporary id>
ENABLE_PPROF = false
; PPROF_DATA_PATH, use an absolute path when you start gitea as service
PPROF_DATA_PATH = data/tmp/pprof
; Landing page, can be "home", "explore", or "organizations"
LANDING_PAGE = home
; Enables git-lfs support. true or false, default is false.
LFS_START_SERVER = true
; Where your lfs files reside, default is data/lfs.
; LFS authentication secret, change this yourself
LFS_JWT_SECRET = {{ secrets.Foundation.lfs_jwt_secret }}
; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
LFS_HTTP_AUTH_EXPIRY = 20m
[lfs]
PATH = data/lfs
; Define allowed algorithms and their minimum key length (use -1 to disable a type)
[ssh.minimum_key_sizes]
ED25519 = 256
ECDSA = 256
RSA = 2048
DSA = 1024
[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ secrets.Foundation.database_password }}
; For Postgres, either "disable" (default), "require", or "verify-full"
; For MySQL, either "false" (default), "true", or "skip-verify"
SSL_MODE = disable
; For MySQL only, either "utf8" or "utf8mb4", default is "utf8".
; NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
CHARSET = utf8
; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
PATH = data/gitea.db
; For "sqlite3" only. Query timeout
SQLITE_TIMEOUT = 500
; For iterate buffer, default is 50
ITERATE_BUFFER_SIZE = 50
; Show the database generated SQL
LOG_SQL = false
; Maximum number of DB Connect retries
DB_RETRIES = 10
; Backoff time per DB retry (time.Duration)
DB_RETRY_BACKOFF = 3s
[indexer]
; Issue indexer type, currently support: bleve or db, default is bleve
ISSUE_INDEXER_TYPE = bleve
; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
ISSUE_INDEXER_PATH = indexers/issues.bleve
; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string.
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = false
REPO_INDEXER_PATH = indexers/repos.bleve
MAX_FILE_SIZE = 1048576
[admin]
; Disallow regular (non-admin) users from creating organizations.
DISABLE_REGULAR_ORG_CREATION = true
[security]
; Whether the installer is disabled
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ secrets.Foundation.secret_key }}
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
COOKIE_USERNAME = gitea_awesome
COOKIE_REMEMBER_NAME = gitea_incredible
; Reverse proxy authentication header name of user name
REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
; The minimum password length for new Users
MIN_PASSWORD_LENGTH = 6
; Set to true to allow users to import local server paths
IMPORT_LOCAL_PATHS = false
; Set to true to prevent all users (including admin) from creating custom git hooks
DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }}
[openid]
;
; OpenID is an open, standard and decentralized authentication protocol.
; Your identity is the address of a webpage you provide, which describes
; how to prove you are in control of that page.
;
; For more info: https://en.wikipedia.org/wiki/OpenID
;
; Current implementation supports OpenID-2.0
;
; Tested to work providers at the time of writing:
; - Any GNUSocial node (your.hostname.tld/username)
; - Any SimpleID provider (http://simpleid.koinic.net)
; - http://openid.org.cn/
; - openid.stackexchange.com
; - login.launchpad.net
; - <username>.livejournal.com
;
; Whether to allow signin in via OpenID
ENABLE_OPENID_SIGNIN = FALSE
; Whether to allow registering via OpenID
; Do not include to rely on rhw DISABLE_REGISTRATION setting
; ENABLE_OPENID_SIGNUP = true
; Allowed URI patterns (POSIX regexp).
; Space separated.
; Only these would be allowed if non-blank.
; Example value: trusted.domain.org trusted.domain.net
WHITELISTED_URIS =
; Forbidden URI patterns (POSIX regexp).
; Space separated.
; Only used if WHITELISTED_URIS is blank.
; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
BLACKLISTED_URIS =
ENABLE_OPENID_SIGNUP = false
[service]
; Time limit to confirm account/email registration
ACTIVE_CODE_LIVE_MINUTES = 180
; Time limit to perform the reset of a forgotten password
RESET_PASSWD_CODE_LIVE_MINUTES = 180
; Whether a new user needs to confirm their email when registering.
REGISTER_EMAIL_CONFIRM = false
; List of domain names that are allowed to be used to register on a Gitea instance
; gitea.io,example.com
EMAIL_DOMAIN_ALLOWLIST =
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = true
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
; User must sign in to view anything.
REQUIRE_SIGNIN_VIEW = false
; Mail notification
ENABLE_NOTIFY_MAIL = false
; More detail: https://github.com/gogits/gogs/issues/165
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
ENABLE_REVERSE_PROXY_EMAIL = false
; Enable captcha validation for registration
ENABLE_CAPTCHA = false
; Type of captcha you want to use. Options: image, recaptcha
CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
; Change this to use recaptcha.net or other recaptcha service
RECAPTCHA_URL = https://www.google.com/recaptcha/
; Default value for KeepEmailPrivate
; Each new user will get the value of this setting copied into their profile
DEFAULT_KEEP_EMAIL_PRIVATE = false
; Default value for AllowCreateOrganization
; Every new user will have rights set to create organizations depending on this setting
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
; Either "public", "limited" or "private", default is "public"
; Limited is for signed user only
; Private is only for member of the organization
; Public is for everyone
DEFAULT_ORG_VISIBILITY = public
; Default value for EnableDependencies
; Repositories will use dependencies by default depending on this setting
DEFAULT_ENABLE_DEPENDENCIES = true
; Enable heatmap on users profiles.
ENABLE_USER_HEATMAP = true
; Enable Timetracking
ENABLE_TIMETRACKING = true
; Default value for EnableTimetracking
; Repositories will use timetracking by default depending on this setting
DEFAULT_ENABLE_TIMETRACKING = true
; Default value for AllowOnlyContributorsToTrackTime
; Only users with write permissions can track time if this is true
DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true
; Default value for the domain part of the user's email address in the git log
; if he has set KeepEmailPrivate to true. The user's email will be replaced with a
; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
NO_REPLY_ADDRESS = noreply.aninix.net
; Show Registration button
SHOW_REGISTRATION_BUTTON = true
; Default value for AutoWatchNewRepos
; When adding a repo to a team or creating a new repo all team members will watch the
; repo automatically if enabled
AUTO_WATCH_NEW_REPOS = true
[webhook]
; Hook task queue length, increase if webhook shooting starts hanging
QUEUE_LENGTH = 1000
; Deliver timeout in seconds
DELIVER_TIMEOUT = 5
; Allow insecure certification
SKIP_TLS_VERIFY = false
; Number of history information in each page
PAGING_NUM = 10
ALLOWED_HOST_LIST = ::1/128, 127.0.0.1/32
; We don't use mail
[mailer]
ENABLED = false
[cache]
; Either "memory", "redis", or "memcache", default is "memory"
ADAPTER = memory
; For "memory" only, GC interval in seconds, default is 60
INTERVAL = 60
; For "redis" and "memcache", connection host address
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; memcache: `127.0.0.1:11211`
HOST =
; Time to keep items in cache if not used, default is 16 hours.
; Setting it to 0 disables caching
ITEM_TTL = 16h
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file
; Provider config options
; memory: doesn't have any config yet
; file: session file path, e.g. `data/sessions`
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = data/sessions
; Session cookie name
COOKIE_NAME = i_like_gitea
; If you use session in https only, default is false
COOKIE_SECURE = false
; Enable set cookie, default is true
ENABLE_SET_COOKIE = true
; Session GC time interval in seconds, default is 86400 (1 day)
GC_INTERVAL_TIME = 86400
; Session life time in seconds, default is 86400 (1 day)
SESSION_LIFE_TIME = 86400
[picture]
AVATAR_UPLOAD_PATH = data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
; How Gitea deals with missing repository avatars
; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
REPOSITORY_AVATAR_FALLBACK = none
REPOSITORY_AVATAR_FALLBACK_IMAGE = /img/repo_default.png
; Max Width and Height of uploaded avatars.
; This is to limit the amount of RAM used when resizing the image.
AVATAR_MAX_WIDTH = 4096
AVATAR_MAX_HEIGHT = 3072
; Maximum alloved file size for uploaded avatars.
; This is to limit the amount of RAM used when resizing the image.
AVATAR_MAX_FILE_SIZE = 1048576
; Chinese users can choose "duoshuo"
; or a custom avatar source, like: http://cn.gravatar.com/avatar/
GRAVATAR_SOURCE = gravatar
; This value will always be true in offline mode.
DISABLE_GRAVATAR = true
; Federated avatar lookup uses DNS to discover avatar associated
; with emails, see https://www.libravatar.org
; This value will always be false in offline mode or when Gravatar is disabled.
ENABLE_FEDERATED_AVATAR = false
[attachment]
; Whether attachments are enabled. Defaults to `true`
ENABLED = true
; Path for attachments. Defaults to `data/attachments`
PATH = data/attachments
; One or more allowed types, e.g. image/jpeg|image/png
ALLOWED_TYPES = image/jpeg|image/png|application/zip|application/gzip
; Max size of each file. Defaults to 4MB
MAX_SIZE = 4
; Max number of files per upload. Defaults to 5
MAX_FILES = 5
[time]
; Specifies the format for fully outputted dates. Defaults to RFC1123
; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
; For more information about the format see http://golang.org/pkg/time/#pkg-constants
FORMAT =
[log]
ROOT_PATH = %(GITEA_WORK_DIR)/log
MODE = console
LEVEL = Info
STACKTRACE_LEVEL = None
logger.router.MODE = ,
logger.xorm.MODE = ,
logger.access.MODE =
ROOT_PATH = /var/log/gitea/
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
MODE = console
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info"
ACCESS_LOG_TEMPLATE = {{ '{{' }}.Ctx.RemoteAddr{{ '}}' }} - {{ '{{' }}.Identity{{ '}}' }} {{ '{{' }}.Start.Format "[02/Jan/2006:15:04:05 -0700]" {{ '}}' }} "{{ '{{' }}.Ctx.Req.Method{{ '}}' }} {{ '{{' }}.Ctx.Req.RequestURI{{ '}}' }} {{ '{{' }}.Ctx.Req.Proto{{ '}}' }}" {{ '{{' }}.ResponseWriter.Status{{ '}}' }} {{ '{{' }}.ResponseWriter.Size{{ '}}' }} "{{ '{{' }}.Ctx.Req.Referer{{ '}}' }}\" \"{{ '{{' }}.Ctx.Req.UserAgent{{ '}}' }}"
logger.access.MODE = console
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
STACKTRACE_LEVEL = Critical
; Generic log modes
[log.x]
FLAGS = stdflags
EXPRESSION =
PREFIX =
COLORIZE = false
; For "console" mode only
[log.console]
MODE = console
FLAGS = stdflags
PREFIX =
COLORIZE = true
; For "file" mode only
[log.file]
LEVEL =
; Set the file_name for the logger. If this is a relative path this
; will be relative to ROOT_PATH
FILE_NAME =
; This enables automated log rotate(switch of following options), default is true
LOG_ROTATE = true
; Max number of lines in a single file, default is 1000000
MAX_LINES = 1000000
; Max size shift of a single file, default is 28 means 1 << 28, 256MB
MAX_SIZE_SHIFT = 28
; Segment log daily, default is true
DAILY_ROTATE = true
; delete the log file after n days, default is 7
MAX_DAYS = 7
; compress logs with gzip
COMPRESS = true
; compression level see godoc for compress/gzip
COMPRESSION_LEVEL = -1
; For "conn" mode only
[log.conn]
LEVEL =
; Reconnect host for every single message, default is false
RECONNECT_ON_MSG = false
; Try to reconnect when connection is lost, default is false
RECONNECT = false
; Either "tcp", "unix" or "udp", default is "tcp"
PROTOCOL = tcp
; Host address
ADDR =
; For "smtp" mode only
[log.smtp]
LEVEL =
; Name displayed in mail title, default is "Diagnostic message from server"
SUBJECT = Diagnostic message from server
; Mail server
HOST =
; Mailer user name and password
USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD =
; Receivers, can be one or more, e.g. 1@example.com,2@example.com
RECEIVERS =
[cron]
; Enable running cron tasks periodically.
ENABLED = true
; Run cron tasks when Gitea starts.
RUN_AT_START = false
; Update mirrors
[cron.update_mirrors]
SCHEDULE = @every 10m
; Repository health check
[cron.repo_health_check]
SCHEDULE = @every 24h
TIMEOUT = 60s
; Arguments for command 'git fsck', e.g. "--unreachable --tags"
; see more on http://git-scm.com/docs/git-fsck
ARGS =
; Check repository statistics
[cron.check_repo_stats]
RUN_AT_START = true
SCHEDULE = @every 24h
; Clean up old repository archives
[cron.archive_cleanup]
; Whether to enable the job
ENABLED = true
; Whether to always run at least once at start up time (if ENABLED)
RUN_AT_START = true
; Time interval for job to run
SCHEDULE = @every 24h
; Archives created more than OLDER_THAN ago are subject to deletion
OLDER_THAN = 24h
; Synchronize external user data (only LDAP user synchronization is supported)
[cron.sync_external_users]
; Synchronize external user data when starting server (default false)
RUN_AT_START = false
; Interval as a duration between each synchronization (default every 24h)
SCHEDULE = @every 24h
; Create new users, update existing user data and disable users that are not in external source anymore (default)
; or only create new users if UPDATE_EXISTING is set to false
UPDATE_EXISTING = true
[git]
; Disables highlight of added and removed changes
DISABLE_DIFF_HIGHLIGHT = false
; Max number of lines allowed in a single file in diff view
MAX_GIT_DIFF_LINES = 1000
; Max number of allowed characters in a line in diff view
MAX_GIT_DIFF_LINE_CHARACTERS = 5000
; Max number of files shown in diff view
MAX_GIT_DIFF_FILES = 100
; Arguments for command 'git gc', e.g. "--aggressive --auto"
; see more on http://git-scm.com/docs/git-gc/
GC_ARGS =
; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
EnableAutoGitWireProtocol = true
; Operation timeout in seconds
[git.timeout]
DEFAULT = 360
MIGRATE = 600
MIRROR = 300
CLONE = 300
PULL = 300
GC = 60
[mirror]
; Default interval as a duration between each check
DEFAULT_INTERVAL = 8h
; Min interval as a duration must be > 1m
MIN_INTERVAL = 10m
[api]
; Enables Swagger. True or false; default is true.
ENABLE_SWAGGER = true
; Max number of items in a page
MAX_RESPONSE_ITEMS = 50
; Default paging number of api
DEFAULT_PAGING_NUM = 30
; Default and maximum number of items per page for git trees api
DEFAULT_GIT_TREES_PER_PAGE = 1000
; Default size of a blob returned by the blobs API (default is 10MiB)
DEFAULT_MAX_BLOB_SIZE = 10485760
[oauth2]
; Enables OAuth2 provider
ENABLE = true
; Lifetime of an OAuth2 access token in seconds
ACCESS_TOKEN_EXPIRATION_TIME = 3600
; Lifetime of an OAuth2 access token in hours
REFRESH_TOKEN_EXPIRATION_TIME = 730
; Check if refresh token got already used
INVALIDATE_REFRESH_TOKENS = false
; OAuth2 authentication secret for access and refresh tokens, change this a unique string.
JWT_SECRET = {{ secrets.Foundation.jwt_secret }}
[i18n]
LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,Українська,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어
; Used for datetimepicker
[i18n.datelang]
en-US = en
zh-CN = zh
zh-HK = zh-HK
zh-TW = zh-TW
de-DE = de
fr-FR = fr
nl-NL = nl
lv-LV = lv
ru-RU = ru
uk-UA = uk
ja-JP = ja
es-ES = es
pt-BR = pt-BR
pl-PL = pl
bg-BG = bg
it-IT = it
fi-FI = fi
tr-TR = tr
cs-CZ = cs-CZ
sr-SP = sr
sv-SE = sv
ko-KR = ko
[U2F]
; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED
; Two Factor authentication with security keys
; https://developers.yubico.com/U2F/App_ID.html
; APP_ID = http://localhost:3000/
; Comma seperated list of trusted facets
; TRUSTED_FACETS = http://localhost:3000/
; Extension mapping to highlight class
; e.g. .toml=ini
[highlight.mapping]
[other]
SHOW_FOOTER_BRANDING = false
; Show version information about Gitea and Go in the footer
SHOW_FOOTER_VERSION = false
; Show template execution time in the footer
SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
[markup.asciidoc]
ENABLED = false
; List of file extensions that should be rendered by an external command
FILE_EXTENSIONS = .adoc,.asciidoc
; External command to render all matching extensions
RENDER_COMMAND = asciidoc --out-file=- -
; Don't pass the file on STDIN, pass the filename as argument instead.
IS_INPUT_FILE = false
[metrics]
; Enables metrics endpoint. True or false; default is false.
ENABLED = false
; If you want to add authorization, specify a token here
TOKEN =

10
roles/Games/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Install Games packages
become: yes
package:
name:
- mgba-qt
- steam
- steam-native-runtime
- discord

14
roles/Geth-Hub/README.md Normal file
View File

@ -0,0 +1,14 @@
These hubs are self-made IoT devices using [Raspberry Pi's](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/) on [Raspbian](https://www.raspberrypi.com/software). They provide cameras and IR remotes to control televisions, which can be used with Chromecasts to project [AniNIX/Yggdrasil](../Yggdrasil/) media for users to view. Usually, they'll be wrapped in a maker case with a cellphone 5A charger on a wall mount.
# Relevant Files and Configuration
For the camera, we use the [motion](https://motion-project.github.io/motion_config.html) service to control the Raspberry Pi [camera module](https://www.raspberrypi.com/products/camera-module-v2/). This is reflected in the motion config.
For the IR control we use an [IR shield](https://www.amazon.com/s?k=Raspberry+pi+infrared+expansion+board+IR+transmitter&ref=nb_sb_noss) controlled by the [lircd](https://www.lirc.org/) service. As a note, in order for this to work, you have to set the pinout in the `/boot/config.txt` -- we try to default this in, but you may need to set `gpio_in_pin` and `gpio_out_pin` attributes for your particular board and shield.
We also set up an SNMPv3 daemon service on the hubs, to work with their IR control. This snmpd requires the Geth OVA to add snmpget using `apk update && apk add net-snmp-tools` from the `Terminal & SSH` add-on. Covers can then be added from the [command-line integration](https://www.home-assistant.io/integrations/command_line/). They'll look something like this:
```
```

23
roles/Geth-Hub/files/hardware.conf Normal file
View File

@ -0,0 +1,23 @@
# /etc/lirc/hardware.conf
#
# Arguments which will be used when launching lircd
LIRCD_ARGS="--uinput --listen"
#Don't start lircmd even if there seems to be a good config file
#START_LIRCMD=false
#Don't start irexec, even if a good config file seems to exist.
#START_IREXEC=false
#Try to load appropriate kernel modules
LOAD_MODULES=true
# Run "lircd --driver=help" for a list of supported drivers.
DRIVER="default"
# usually /dev/lirc0 is the correct setting for systems using udev
DEVICE="/dev/lirc0"
MODULES="lirc_rpi"
# Default configuration files for your hardware if any
LIRCD_CONF=""
LIRCMD_CONF=""

41
roles/Geth-Hub/files/lirc_options.conf Normal file
View File

@ -0,0 +1,41 @@
# These are the default options to lircd, if installed as
# /etc/lirc/lirc_options.conf. See the lircd(8) and lircmd(8)
# manpages for info on the different options.
#
# Some tools including mode2 and irw uses values such as
# driver, device, plugindir and loglevel as fallback values
# in not defined elsewhere.
[lircd]
nodaemon = False
driver = default
device = /dev/lirc0
output = /var/run/lirc/lircd
pidfile = /var/run/lirc/lircd.pid
plugindir = /usr/lib/arm-linux-gnueabihf/lirc/plugins
permission = 666
allow-simulate = No
repeat-max = 600
#effective-user =
#listen = [address:]port
#connect = host[:port]
#loglevel = 6
#release = true
#release_suffix = _EVUP
#logfile = ...
#driver-options = ...
[lircmd]
uinput = False
nodaemon = False
# [modinit]
# code = /usr/sbin/modprobe lirc_serial
# code1 = /usr/bin/setfacl -m g:lirc:rw /dev/uinput
# code2 = ...
# [lircd-uinput]
# add-release-events = False
# release-timeout = 200
# release-suffix = _EVUP

100
roles/Geth-Hub/files/lircd.conf/Geth-Hub-1 Normal file
View File

@ -0,0 +1,100 @@
# Please make this file available to others
# by sending it to <lirc@bartelmus.de>
#
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017
#
# contributed by
#
# brand: Insignia
# model no. of remote control: NS-RC4NA-14
# devices being controlled by this remote: TV
#
begin remote
name NS-RC4NA-14
bits 16
flags SPACE_ENC|CONST_LENGTH
eps 30
aeps 100
header 9102 4441
one 640 1623
zero 640 496
ptrail 639
repeat 9103 2189
pre_data_bits 16
pre_data 0x61A0
gap 108350
toggle_bit_mask 0x0
begin codes
KEY_POWER 0xF00F
KEY_CONFIG 0xB847
KEY_VOLUMEUP 0x30CF
KEY_VOLUMEDOWN 0xB04F
KEY_MUTE 0x708F
KEY_ENTER 0x18E7
end codes
end remote
begin remote
name iRobot_Roomba
flags RAW_CODES|CONST_LENGTH
eps 30
aeps 100
ptrail 0
repeat 0 0
gap 91790
begin raw_codes
name clean
2831 886 972 2709 944 2711
943 2710 2743 893 958 2723
931 2722 927 19304 2811 897
954 2726 927 2726 927 2726
2747 889 966 2714 942 2710
941
name spot
2855 858 961 2720 935 2718
934 2718 937 2716 2744 893
960 2721 931 19526 2829 882
968 2711 943 2711 942 2710
942 2710 2744 893 960 2720
934
name max
2818 898 957 2725 931 2723
933 2720 936 2718 2749 890
966 2714 2748 17722 2831 882
961 2720 925 2729 927 2726
926 2728 2753 886 968 2713
2749
name power
2837 883 970 2711 943 2712
942 2711 2747 893 963 2718
2755 886 965 19522 2816 895
955 2727 928 2726 930 2724
2758 883 970 2712 2748 891
962
name pause
2823 897 956 2729 933 2723
936 2721 2751 889 965 2722
937 2721 2748 17726 2828 886
970 2713 942 2713 939 2716
2753 888 970 2714 942 2713
2754
end raw_codes
end remote

157
roles/Geth-Hub/files/lircd.conf/Geth-Hub-2 Normal file
View File

@ -0,0 +1,157 @@
# Please make this file available to others
# by sending it to <lirc@bartelmus.de>
#
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Jun 29 00:24:26 2017
#
# contributed by darkfeather@aninix.net
#
# brand: LG.conf
# model no. of remote control: AKB73715608
# devices being controlled by this remote: TV
#
begin remote
name LASKO
bits 16
flags SPACE_ENC|CONST_LENGTH
eps 30
aeps 100
header 9063 4496
one 579 1673
zero 579 546
ptrail 580
repeat 9066 2248
pre_data_bits 16
pre_data 0x20DF
gap 108528
toggle_bit_mask 0x0
begin codes
KEY_POWER 0x10EF
KEY_VOLUMEUP 0x40BF
KEY_VOLUMEDOWN 0xC03F
KEY_CONFIG 0xD02F
KEY_ENTER 0x22DD
KEY_MUTE 0x906F
end codes
end remote
# Please make this file available to others
# by sending it to <lirc@bartelmus.de>
#
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Tue May 1 06:40:29 2018
#
# contributed by
#
# brand: ./lasko.conf
# model no. of remote control:
# devices being controlled by this remote:
#
begin remote
name ./lasko.conf
flags RAW_CODES|CONST_LENGTH
eps 30
aeps 100
ptrail 413
gap 53152
begin raw_codes
name KEY_POWER
1253 391 1256 391 428 1258
1258 424 1226 428 400 1294
397 1307 386 1291 398 1295
396 1264 429 1289 1230 6912
1265 383 1264 427 388 1314
1199 425 1230 428 396 1324
375 1259 420 1264 423 1312
379 1293 397 1261 1259
name KEY_MUTE
1266 374 1256 394 426 1256
1259 447 1202 431 397 1294
393 1306 388 1292 397 1318
373 1261 1258 411 414 7771
1261 392 1257 421 395 1268
1247 424 1225 431 398 1292
398 1294 397 1292 396 1307
385 1288 1229 430 397
name KEY_VOLUMEDOWN
1252 395 1258 392 426 1256
1258 393 1257 398 430 1293
395 1296 395 1267 424 1292
1226 432 397 1265 424 7772
1260 392 1257 391 426 1258
1267 386 1256 400 425 1267
427 1300 391 1315 368 1269
1262 487 334 1297 387
name KEY_MOVE
1256 394 1253 420 399 1293
1224 391 1255 403 424 1265
427 1282 411 1294 1224 429
396 1292 399 1290 408 7767
1256 391 1257 422 396 1268
1279 393 1232 393 426 1294
396 1263 428 1315 1226 411
425 1235 430 1259 427
end raw_codes
end remote
# Please make this file available to others
# by sending it to <lirc@bartelmus.de>
#
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017
#
# contributed by
#
# brand: Insignia
# model no. of remote control: NS-RC4NA-14
# devices being controlled by this remote: TV
#
begin remote
name NS-RC4NA-14
bits 16
flags SPACE_ENC|CONST_LENGTH
eps 30
aeps 100
header 9102 4441
one 640 1623
zero 640 496
ptrail 639
repeat 9103 2189
pre_data_bits 16
pre_data 0x61A0
gap 108350
toggle_bit_mask 0x0
begin codes
KEY_POWER 0xF00F
KEY_CONFIG 0xB847
KEY_VOLUMEUP 0x30CF
KEY_VOLUMEDOWN 0xB04F
KEY_MUTE 0x708F
KEY_ENTER 0x18E7
end codes
end remote

28
roles/Geth-Hub/files/lircd.conf/Geth-Hub-3 Normal file
View File

@ -0,0 +1,28 @@
begin remote
name LG-AKB73715608
bits 16
flags SPACE_ENC|CONST_LENGTH
eps 30
aeps 100
header 9063 4496
one 579 1673
zero 579 546
ptrail 580
repeat 9066 2248
pre_data_bits 16
pre_data 0x20DF
gap 108528
toggle_bit_mask 0x0
begin codes
KEY_POWER 0x10EF
KEY_VOLUMEUP 0x40BF
KEY_VOLUMEDOWN 0xC03F
KEY_CONFIG 0xD02F
KEY_ENTER 0x22DD
KEY_MUTE 0x906F
end codes
end remote

28
roles/Geth-Hub/files/lircd.conf/LG-AKB73715608 Normal file
View File

@ -0,0 +1,28 @@
begin remote
name LG-AKB73715608
bits 16
flags SPACE_ENC|CONST_LENGTH
eps 30
aeps 100
header 9063 4496
one 579 1673
zero 579 546
ptrail 580
repeat 9066 2248
pre_data_bits 16
pre_data 0x20DF
gap 108528
toggle_bit_mask 0x0
begin codes
KEY_POWER 0x10EF
KEY_VOLUMEUP 0x40BF
KEY_VOLUMEDOWN 0xC03F
KEY_CONFIG 0xD02F
KEY_ENTER 0x22DD
KEY_MUTE 0x906F
end codes
end remote

28
roles/Geth-Hub/files/lircd.conf/NS-RC4NA-14 Normal file
View File

@ -0,0 +1,28 @@
begin remote
name NS-RC4NA-14
bits 16
flags SPACE_ENC|CONST_LENGTH
eps 30
aeps 100
header 9102 4441
one 640 1623
zero 640 496
ptrail 639
repeat 9103 2189
pre_data_bits 16
pre_data 0x61A0
gap 108350
toggle_bit_mask 0x0
begin codes
KEY_POWER 0xF00F
KEY_CONFIG 0xB847
KEY_VOLUMEUP 0x30CF
KEY_VOLUMEDOWN 0xB04F
KEY_MUTE 0x708F
KEY_ENTER 0x18E7
end codes
end remote

174
roles/Geth-Hub/files/motion.conf/Geth-Hub-1 Normal file
View File

@ -0,0 +1,174 @@
# Rename this distribution example file to motion.conf
#
# This config file was generated by motion 4.3.2
# Documentation: /usr/share/doc/motion/motion_guide.html
#
# This file contains only the basic configuration options to get a
# system working. There are many more options available. Please
# consult the documentation for the complete list of all options.
#
############################################################
# System control configuration parameters
############################################################
# Start in daemon (background) mode and release terminal.
daemon off
# Start in Setup-Mode, daemon disabled.
setup_mode off
# File to store the process ID.
; pid_file value
# File to write logs messages into. If not defined stderr and syslog is used.
log_file /var/log/motion/motion.log
# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
log_level 6
# Target directory for pictures, snapshots and movies
target_dir /var/lib/motion
# Video device (e.g. /dev/video0) to be used for capturing.
videodevice /dev/video0
# Parameters to control video device. See motion_guide.html
; vid_control_params value
# The full URL of the network camera stream.
; netcam_url value
# Name of mmal camera (e.g. vc.ril.camera for pi camera).
; mmalcam_name value
# Camera control parameters (see raspivid/raspistill tool documentation)
; mmalcam_control_params value
############################################################
# Image Processing configuration parameters
############################################################
# Image width in pixels.
width 640
# Image height in pixels.
height 480
# Maximum number of frames to be captured per second.
framerate 15
# Rotate to fit
rotate 90
# Text to be overlayed in the lower left corner of images
text_left GETH-HUB-3
# Text to be overlayed in the lower right corner of images.
text_right %Y-%m-%d\n%T-%q
############################################################
# Motion detection configuration parameters
############################################################
# Always save pictures and movies even if there was no motion.
emulate_motion off
# Threshold for number of changed pixels that triggers motion.
threshold 1500
# Noise threshold for the motion detection.
; noise_level 32
# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
despeckle_filter EedDl
# Number of images that must contain motion to trigger an event.
minimum_motion_frames 1
# Gap in seconds of no motion detected that triggers the end of an event.
event_gap 60
# The number of pre-captured (buffered) pictures from before motion.
pre_capture 3
# Number of frames to capture after motion is no longer detected.
post_capture 0
############################################################
# Script execution configuration parameters
############################################################
# Command to be executed when an event starts.
; on_event_start value
# Command to be executed when an event ends.
; on_event_end value
# Command to be executed when a movie file is closed.
; on_movie_end value
############################################################
# Picture output configuration parameters
############################################################
# Output pictures when motion is detected
picture_output off
# File name(without extension) for pictures relative to target directory
picture_filename %Y%m%d%H%M%S-%q
############################################################
# Movie output configuration parameters
############################################################
# Create movies of motion events.
movie_output on
# Maximum length of movie in seconds.
movie_max_time 60
# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
movie_quality 45
# Container/Codec to used for the movie. See motion_guide.html
movie_codec mkv
# File name(without extension) for movies relative to target directory
movie_filename %t-%v-%Y%m%d%H%M%S
############################################################
# Webcontrol configuration parameters
############################################################
# Port number used for the webcontrol.
webcontrol_port 8080
# Restrict webcontrol connections to the localhost.
webcontrol_localhost on
# Type of configuration options to allow via the webcontrol.
webcontrol_parms 0
############################################################
# Live stream configuration parameters
############################################################
# The port number for the live stream.
stream_port 8081
# Restrict stream connections to the localhost.
stream_localhost off
##############################################################
# Camera config files - One for each camera.
##############################################################
; camera /usr/etc/motion/camera1.conf
; camera /usr/etc/motion/camera2.conf
; camera /usr/etc/motion/camera3.conf
; camera /usr/etc/motion/camera4.conf
##############################################################
# Directory to read '.conf' files for cameras.
##############################################################
; camera_dir /usr/etc/motion/conf.d

174
roles/Geth-Hub/files/motion.conf/Geth-Hub-2 Normal file
View File

@ -0,0 +1,174 @@
# Rename this distribution example file to motion.conf
#
# This config file was generated by motion 4.3.2
# Documentation: /usr/share/doc/motion/motion_guide.html
#
# This file contains only the basic configuration options to get a
# system working. There are many more options available. Please
# consult the documentation for the complete list of all options.
#
############################################################
# System control configuration parameters
############################################################
# Start in daemon (background) mode and release terminal.
daemon off
# Start in Setup-Mode, daemon disabled.
setup_mode off
# File to store the process ID.
; pid_file value
# File to write logs messages into. If not defined stderr and syslog is used.
log_file /var/log/motion/motion.log
# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
log_level 6
# Target directory for pictures, snapshots and movies
target_dir /var/lib/motion
# Video device (e.g. /dev/video0) to be used for capturing.
videodevice /dev/video0
# Parameters to control video device. See motion_guide.html
; vid_control_params value
# The full URL of the network camera stream.
; netcam_url value
# Name of mmal camera (e.g. vc.ril.camera for pi camera).
; mmalcam_name value
# Camera control parameters (see raspivid/raspistill tool documentation)
; mmalcam_control_params value
############################################################
# Image Processing configuration parameters
############################################################
# Image width in pixels.
width 640
# Image height in pixels.
height 480
# Maximum number of frames to be captured per second.
framerate 15
# Rotate to fit
rotate 90
# Text to be overlayed in the lower left corner of images
text_left GETH-HUB-3
# Text to be overlayed in the lower right corner of images.
text_right %Y-%m-%d\n%T-%q
############################################################
# Motion detection configuration parameters
############################################################
# Always save pictures and movies even if there was no motion.
emulate_motion off
# Threshold for number of changed pixels that triggers motion.
threshold 1500
# Noise threshold for the motion detection.
; noise_level 32
# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
despeckle_filter EedDl
# Number of images that must contain motion to trigger an event.
minimum_motion_frames 1
# Gap in seconds of no motion detected that triggers the end of an event.
event_gap 60
# The number of pre-captured (buffered) pictures from before motion.
pre_capture 3
# Number of frames to capture after motion is no longer detected.
post_capture 0
############################################################
# Script execution configuration parameters
############################################################
# Command to be executed when an event starts.
; on_event_start value
# Command to be executed when an event ends.
; on_event_end value
# Command to be executed when a movie file is closed.
; on_movie_end value
############################################################
# Picture output configuration parameters
############################################################
# Output pictures when motion is detected
picture_output off
# File name(without extension) for pictures relative to target directory
picture_filename %Y%m%d%H%M%S-%q
############################################################
# Movie output configuration parameters
############################################################
# Create movies of motion events.
movie_output on
# Maximum length of movie in seconds.
movie_max_time 60
# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
movie_quality 45
# Container/Codec to used for the movie. See motion_guide.html
movie_codec mkv
# File name(without extension) for movies relative to target directory
movie_filename %t-%v-%Y%m%d%H%M%S
############################################################
# Webcontrol configuration parameters
############################################################
# Port number used for the webcontrol.
webcontrol_port 8080
# Restrict webcontrol connections to the localhost.
webcontrol_localhost on
# Type of configuration options to allow via the webcontrol.
webcontrol_parms 0
############################################################
# Live stream configuration parameters
############################################################
# The port number for the live stream.
stream_port 8081
# Restrict stream connections to the localhost.
stream_localhost off
##############################################################
# Camera config files - One for each camera.
##############################################################
; camera /usr/etc/motion/camera1.conf
; camera /usr/etc/motion/camera2.conf
; camera /usr/etc/motion/camera3.conf
; camera /usr/etc/motion/camera4.conf
##############################################################
# Directory to read '.conf' files for cameras.
##############################################################
; camera_dir /usr/etc/motion/conf.d

174
roles/Geth-Hub/files/motion.conf/Geth-Hub-3 Normal file
View File

@ -0,0 +1,174 @@
# Rename this distribution example file to motion.conf
#
# This config file was generated by motion 4.3.2
# Documentation: /usr/share/doc/motion/motion_guide.html
#
# This file contains only the basic configuration options to get a
# system working. There are many more options available. Please
# consult the documentation for the complete list of all options.
#
############################################################
# System control configuration parameters
############################################################
# Start in daemon (background) mode and release terminal.
daemon off
# Start in Setup-Mode, daemon disabled.
setup_mode off
# File to store the process ID.
; pid_file value
# File to write logs messages into. If not defined stderr and syslog is used.
log_file /var/log/motion/motion.log
# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
log_level 6
# Target directory for pictures, snapshots and movies
target_dir /var/lib/motion
# Video device (e.g. /dev/video0) to be used for capturing.
videodevice /dev/video0
# Parameters to control video device. See motion_guide.html
; vid_control_params value
# The full URL of the network camera stream.
; netcam_url value
# Name of mmal camera (e.g. vc.ril.camera for pi camera).
; mmalcam_name value
# Camera control parameters (see raspivid/raspistill tool documentation)
; mmalcam_control_params value
############################################################
# Image Processing configuration parameters
############################################################
# Image width in pixels.
width 640
# Image height in pixels.
height 480
# Maximum number of frames to be captured per second.
framerate 15
# Rotate to fit
rotate 90
# Text to be overlayed in the lower left corner of images
text_left GETH-HUB-3
# Text to be overlayed in the lower right corner of images.
text_right %Y-%m-%d\n%T-%q
############################################################
# Motion detection configuration parameters
############################################################
# Always save pictures and movies even if there was no motion.
emulate_motion off
# Threshold for number of changed pixels that triggers motion.
threshold 1500
# Noise threshold for the motion detection.
; noise_level 32
# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
despeckle_filter EedDl
# Number of images that must contain motion to trigger an event.
minimum_motion_frames 1
# Gap in seconds of no motion detected that triggers the end of an event.
event_gap 60
# The number of pre-captured (buffered) pictures from before motion.
pre_capture 3
# Number of frames to capture after motion is no longer detected.
post_capture 0
############################################################
# Script execution configuration parameters
############################################################
# Command to be executed when an event starts.
; on_event_start value
# Command to be executed when an event ends.
; on_event_end value
# Command to be executed when a movie file is closed.
; on_movie_end value
############################################################
# Picture output configuration parameters
############################################################
# Output pictures when motion is detected
picture_output off
# File name(without extension) for pictures relative to target directory
picture_filename %Y%m%d%H%M%S-%q
############################################################
# Movie output configuration parameters
############################################################
# Create movies of motion events.
movie_output on
# Maximum length of movie in seconds.
movie_max_time 60
# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
movie_quality 45
# Container/Codec to used for the movie. See motion_guide.html
movie_codec mkv
# File name(without extension) for movies relative to target directory
movie_filename %t-%v-%Y%m%d%H%M%S
############################################################
# Webcontrol configuration parameters
############################################################
# Port number used for the webcontrol.
webcontrol_port 8080
# Restrict webcontrol connections to the localhost.
webcontrol_localhost on
# Type of configuration options to allow via the webcontrol.
webcontrol_parms 0
############################################################
# Live stream configuration parameters
############################################################
# The port number for the live stream.
stream_port 8081
# Restrict stream connections to the localhost.
stream_localhost off
##############################################################
# Camera config files - One for each camera.
##############################################################
; camera /usr/etc/motion/camera1.conf
; camera /usr/etc/motion/camera2.conf
; camera /usr/etc/motion/camera3.conf
; camera /usr/etc/motion/camera4.conf
##############################################################
# Directory to read '.conf' files for cameras.
##############################################################
; camera_dir /usr/etc/motion/conf.d

147
roles/Geth-Hub/tasks/main.yml Normal file
View File

@ -0,0 +1,147 @@
---
- name: Geth-Hub packages
become: yes
package:
name:
- motion
- lirc
- snmpd
- libcamera-apps
- ir-keytable
state: present
update_cache: yes
- name: Copy the SSH key
authorized_key:
user: "{{ ansible_user_id }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}"
- name: Copy the motion config
become: yes
register: motion_config
template:
src: "motion.conf.j2"
dest: "/etc/motion/motion.conf"
- name: Create motion log folder
become: yes
file:
path: "{{ item }}"
state: directory
owner: motion
group: motion
mode: 0750
loop:
- "/var/log/motion"
- "/var/run/motion"
- name: Restart the motion service
become: yes
when: motion_config.changed and motion_enabled
service:
name: motion
state: started
enabled: yes
- name: Allow override of motion service
become: yes
when: not motion_enabled
service:
name: motion
state: stopped
enabled: no
# Thanks to https://wiki.geekworm.com/Raspberry_Pi_IR_Control_Expansion_Board for instructions setting up lirc
- name: Set the dtoverlay
become: yes
register: dtoverlay
blockinfile:
path: "/boot/config.txt"
insertafter: EOF
marker: "# {mark} Ubiqtorate Managed Block"
block: |
dtoverlay=gpio-ir,gpio_pin={{ gpio_in_pin | default('18') }}
dtoverlay=gpio-ir-tx,gpio_pin={{ gpio_out_pin | default('17') }}
start_x=1
- name: Unset camera autodetect
become: yes
register: camera_autodetect
lineinfile:
path: "/boot/config.txt"
regexp: "camera_auto_detect"
line: "# camera_auto_detect=1"
- name: Set the dtparam
become: yes
register: dtparam
lineinfile:
path: "/boot/config.txt"
regexp: "^dtparam="
line: "dtparam=gpio_in_pull={{ gpio_in_pull | default('down') }}"
- name: Copy the modules config
become: yes
register: modules_config
template:
src: "modules.j2"
dest: "/etc/modules"
- name: Copy the modules config, part 2
become: yes
register: modules_config_2
template:
src: "lirc_rpi.conf.j2"
dest: "/etc/modprobe.d/lirc_rpi.conf"
- name: Reboot if needed
become: yes
when: modules_config.changed or dtparam.changed or dtoverlay.changed or modules_config_2.changed or camera_autodetect.changed
reboot:
- name: Wait if needed
become: yes
when: modules_config.changed or dtparam.changed or dtoverlay.changed or modules_config_2.changed
wait_for_connection:
- name: Copy lircd supplemental config
register: lircd_supp_config
become: yes
copy:
src: "{{ item }}"
dest: "/etc/lirc/{{ item }}"
loop:
- hardware.conf
- lirc_options.conf
- name: Copy lircd remote config
register: lircd_remote_config
become: yes
copy:
src: "lircd.conf/{{ remote }}"
dest: /etc/lirc/lircd.conf
- name: Start the services
when: lircd_supp_config.changed or lircd_remote_config.changed
become: yes
service:
name: lircd
state: restarted
enabled: yes
- name: SNMPD config
become: yes
template:
src: snmpd.conf.j2
dest: /etc/snmp/snmpd.conf
- name: SNMPD service
become: yes
service:
name: snmpd
state: restarted
enabled: yes

1
roles/Geth-Hub/templates/lirc_rpi.conf.j2 Normal file
View File

@ -0,0 +1 @@
options gpio_ir_recv gpio_in_pin={{ gpio_in_pin | default('18') }} gpio_out_pin={{ gpio_out_pin | default('17') }}

10
roles/Geth-Hub/templates/modules.j2 Normal file
View File

@ -0,0 +1,10 @@
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# lirc_dev
# lirc_rpi gpio_in_pin={{ gpio_in_pin | default('18') }} gpio_out_pin={{ gpio_out_pin | default('17') }}
bcm2835-v4l2
r8188eu

176
roles/Geth-Hub/templates/motion.conf.j2 Normal file
View File

@ -0,0 +1,176 @@
# Rename this distribution example file to motion.conf
#
# This config file was generated by motion 4.3.2
# Documentation: /usr/share/doc/motion/motion_guide.html
#
# This file contains only the basic configuration options to get a
# system working. There are many more options available. Please
# consult the documentation for the complete list of all options.
#
############################################################
# System control configuration parameters
############################################################
# Start in daemon (background) mode and release terminal.
daemon off
# Start in Setup-Mode, daemon disabled.
setup_mode off
# File to store the process ID.
; pid_file value
# File to write logs messages into. If not defined stderr and syslog is used.
log_file /var/log/motion/motion.log
# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
log_level 6
# Target directory for pictures, snapshots and movies
target_dir /var/lib/motion
# Video device (e.g. /dev/video0) to be used for capturing.
videodevice /dev/video0
# Parameters to control video device. See motion_guide.html
; vid_control_params value
# The full URL of the network camera stream.
; netcam_url value
# Name of mmal camera (e.g. vc.ril.camera for pi camera).
; mmalcam_name value
mmalcam_name vc.ril.camera
mmalcam_use_still off
# Camera control parameters (see raspivid/raspistill tool documentation)
; mmalcam_control_params value
############################################################
# Image Processing configuration parameters
############################################################
# Image width in pixels.
width 1296
# Image height in pixels.
height 972
# Maximum number of frames to be captured per second.
framerate 15
# Rotate to fit
rotate {{ rotate }}
# Text to be overlayed in the lower left corner of images
text_left {{ inventory_hostname }}
# Text to be overlayed in the lower right corner of images.
text_right %Y-%m-%d\n%T-%q
############################################################
# Motion detection configuration parameters
############################################################
# Always save pictures and movies even if there was no motion.
emulate_motion off
# Threshold for number of changed pixels that triggers motion.
threshold 1500
# Noise threshold for the motion detection.
; noise_level 32
# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
despeckle_filter EedDl
# Number of images that must contain motion to trigger an event.
minimum_motion_frames 1
# Gap in seconds of no motion detected that triggers the end of an event.
event_gap 60
# The number of pre-captured (buffered) pictures from before motion.
pre_capture 3
# Number of frames to capture after motion is no longer detected.
post_capture 0
############################################################
# Script execution configuration parameters
############################################################
# Command to be executed when an event starts.
; on_event_start value
# Command to be executed when an event ends.
; on_event_end value
# Command to be executed when a movie file is closed.
; on_movie_end value
############################################################
# Picture output configuration parameters
############################################################
# Output pictures when motion is detected
picture_output off
# File name(without extension) for pictures relative to target directory
picture_filename %Y%m%d%H%M%S-%q
############################################################
# Movie output configuration parameters
############################################################
# Create movies of motion events.
movie_output off
# Maximum length of movie in seconds.
movie_max_time 60
# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
movie_quality 45
# Container/Codec to used for the movie. See motion_guide.html
movie_codec mkv
# File name(without extension) for movies relative to target directory
movie_filename %t-%v-%Y%m%d%H%M%S
############################################################
# Webcontrol configuration parameters
############################################################
# Port number used for the webcontrol.
webcontrol_port 8080
# Restrict webcontrol connections to the localhost.
webcontrol_localhost on
# Type of configuration options to allow via the webcontrol.
webcontrol_parms 0
############################################################
# Live stream configuration parameters
############################################################
# The port number for the live stream.
stream_port 8081
# Restrict stream connections to the localhost.
stream_localhost off
##############################################################
# Camera config files - One for each camera.
##############################################################
; camera /usr/etc/motion/camera1.conf
; camera /usr/etc/motion/camera2.conf
; camera /usr/etc/motion/camera3.conf
; camera /usr/etc/motion/camera4.conf
##############################################################
# Directory to read '.conf' files for cameras.
##############################################################
; camera_dir /usr/etc/motion/conf.d

23
roles/Geth-Hub/templates/snmpd.conf.j2 Normal file
View File

@ -0,0 +1,23 @@
sysLocation {{ inventory_hostname }}
sysContact {{ organization['admin'] }} <{{ organization['email'] }}>
sysServices 72
master agentx
agentaddress {{ ip }}:161
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
view remotecmds included .1
CreateUser remote SHA {{ passwords[inventory_hostname] }} AES {{ passwords[inventory_hostname] }}
rouser remote priv .1
extend -cacheTime 1 power /usr/bin/irsend SEND_ONCE {{ remote }} KEY_POWER
extend -cacheTime 1 mute /usr/bin/irsend SEND_ONCE {{ remote }} KEY_MUTE
extend -cacheTime 1 volumeup /usr/bin/irsend SEND_ONCE {{ remote }} KEY_VOLUMEUP
extend -cacheTime 1 volumedown /usr/bin/irsend SEND_ONCE {{ remote }} KEY_VOLUMEDOWN
extend -cacheTime 1 config /usr/bin/irsend SEND_ONCE {{ remote }} KEY_CONFIG
extend -cacheTime 1 enter /usr/bin/irsend SEND_ONCE {{ remote }} KEY_ENTER

20
roles/Geth/README.md Normal file
View File

@ -0,0 +1,20 @@
Geth is a complete automation suite for homes and interaction with the physical world. However, it is not a automatic process, and as such you will need to install it manually.
# Etymology=The [http://masseffect.wikia.com/wiki/Geth Geth] are a fictional race in the Mass Effect universe. Geth are individual processes running on many platforms. The more devices, the smarter the collective or gestalt consciousness of the entity becomes.
# Relevant Files and Software
You can install Geth with [https://aninix.net/foundation/ConfigPackages ConfigPackages]'s Geth Makefile and configuration.
A number of devices can be controlled under the gestalt -- see [[Geth/Hardware]] for our experiments with Geth hardware platforms. The configuration.yaml format used by the underlying home-assistant package is very simple, and as such we don't prescriptively install one over the base version. Instead, we include snippets for you to define your own structure.
We are also considering features such as integrating smart lights with Shadowfeed presence detection and timeslots and requiring wireless presence for RFC door unlocks.
[file:///var/lib/hass/ Geth configuration] can be tested with the following: <pre> hass --script check_config -c /var/lib/hass</pre>
# Available Clients
See [[WebServer#Clients|this list of clients]] for tools to access this system. The Shadowfeed NAT rules will need to be updated to allow access outside the network, and make sure to follow [https://home-assistant.io/getting-started/securing/ the security checkpoints] before publishing.
# Equivalents or Competition
Most home-automation systems are DIY at the moment, though the [https://nest.com/ NEST] system is one commercial offering.
<!--|ref=REFERENCE-->}}
[[Category:SSL]]

8
roles/Geth/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Geth packages
become: yes
package:
name:
- openhab2
- name:

22
roles/Grimoire/README.md Normal file
View File

@ -0,0 +1,22 @@
Grimoire is a PostgreSQL database underlying other systems on the AniNIX, including [AniNIX/Singularity](../Singularity)
# Etymology
A [grimoire](http://en.wikipedia.org/wiki/Grimoire) is historically a collection of magical knowledge and the ability summon spirits or daemons. Similarly, Singularity adds knowledge to be read from the Grimoire, and Wiki includes the methodology to start the daemon processes being run on the network.
# Relevant Files and Software
Grimoire has a user, postgres, with a home directory of `/var/lib/postgres/`. This user's bashrc contains some help text on how to reset passwords and backup databases in PostgreSQL.
## Backups
Backups are provided by [AniNIX/Aether](../Aether). They can be restored with the following:
```
psql -U dbuser -d db -f backup.sql
```
# Available Clients
There are no clients for the Grimoire -- Singularity and Wiki maintain their tables.
# Additional Reference
Make sure to read the [PostgreSQL page on ArchWiki](https://wiki.archlinux.org/index.php/PostgreSQL) to understand how to maintain this system.
# Tables
* Singularity controls the ttrss database.

8
roles/Grimoire/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Grimoire packages
become: yes
package:
name:
- postgresql

64
roles/IRC/README.md Normal file
View File

@ -0,0 +1,64 @@
IRC is a chat system used by members of the AniNIX network.
# Etymology
[IRC](https://en.wikipedia.org/wiki/IRC) stands for Internet Relay Chat -- it is a method of text-based communication across the network via various servers. IRC has long been the self-hosted communication medium of choice for hackers, developers, and the fringe -- though overall adoption has dropped a bit with the rise of other social media, networks like [Libera](https://libera.chat/) are [still growing](https://royal.pingdom.com/2012/04/24/irc-is-dead-long-live-irc/). IRC is moving to the hacker niche, and we follow along.
# Relevant Files and Software
The configuration for the IRC service is divided into two parts -- the daemon and services.
## InspIRCd
The IRC daemon is powered by [InspIRCd](https://inspircd.org/). Relevant configuration is in `/etc/inspircd/` and it logs to journald.
## Anope
The services component is supplied by [Anope](https://www.anope.org/). Relevant configuration is in [the services.conf](file:///etc/anope/services.conf) and it logs to the [its own log](file:///var/log/anope/).
Anope also takes backups of [the anope database](file:///var/db/anope/anope.db) to the backups folder in the same location.
<b>Caution:</b> Anope with version 2.0.3 has some issues with gcc6. If you start encountering segmentation faults with Anope, sign in to `irc://anope.org#anope` (the Anope support IRC network). Script a run of "sudo -u ircd gdb /usr/bin/services core". Enter `r <your flags>` and when it crashes run `bt full`. Quit out of everything and pastebin the file. Provide this to the support staff.
<b>Caution:</b> Arch's packaged version of Anope may be missing critical LDAP modules. We still install the package, but you may need to use a localized install in /opt to get it working.
Anope Services' NickServ authentication can be linked to [[Sora|AniNIX::Sora]] for unified credentials.[[Category:LDAP]]
### Service entities
The following entities can be messaged personally (PM'ed) for help with `/msg <entity> help` from inside an IRC client.
* NickServ will manage IRC nicknames.
* HostServ will manage IRC virtual hosts, to mask IP's.
* ChanServ will manage IRC channels -- new channels can be registered on the network here.
* MemoServ will manage IRC memos (short text-message-like messages between users).
### Bots
#### Bitbot
BitBot is a webhook engine -- we tie it into AniNIX/Yggdrasil and AniNIX/Foundation.
### discord-irc
Discord-IRC acts as a bridge between our IRC network and Discord -- this lets us integrate with mobile push notifications & lowers the barrier to entry to the network.
# Available Clients
A [simple web client](https://irc.aninix.net) is hosted.
For more advanced options like logging, you will need to use your own client. All IRC clients will connect to the service by providing the following information:
* Host: aninix.net
* Port: 6697
* The client should accept only valid certificates.
* The client should automatically join the #lobby channel.
* The client should provide a nickname and NickServ password that the user intends to use.
### Clients by OS
Some example clients can be found here.
* Linux hosts are strongly recommended to use [weechat](https://wiki.archlinux.org/index.php/Weechat) inside [tmux](https://wiki.archlinux.org/index.php/Tmux).
* Windows hosts can connect to this service using [HexChat](https://hexchat.github.io/).
* Mac and iOS hosts can use [Colloquy](http://colloquy.info/downloads.html).
* Android hosts can use [AndChat](http://www.duckspike.net/andchat/).
# Equivalents or Competition
Rivals to IRC include other IRC networks like Libera, mail services like [Gmail](https://mail.google.com), and other chat systems like Slack, Microsoft Teams, Discord, Snapchat, WhatsApp, etc. We use Discord to provide new users with a Web-only bridge to the IRC network, but most features are only available within our own network.
# Additional Reference
* [IRCHelp.org for operators](https://www.irchelp.org/ircd/ircopguide.html)
* [InspIRCd modes reference](https://docs.inspircd.org/3/user-modes/)

17
roles/IRC/files/services/irc.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=AniNIX/IRC daemon
Requires=network.target
After=network.target
[Service]
Type=forking
PIDFile=/var/lib/inspircd/inspircd.pid
ExecStart=/usr/bin/inspircd
ExecReload=kill -HUP $MAINPID
ExecStop=kill $MAINPID
Restart=always
User=ircd
Group=ircd
[Install]
WantedBy=multi-user.target

16
roles/IRC/files/services/ircservices.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=AniNIX/IRC | Anope Services
Requires=network.target
After=network.target
[Service]
Type=simple
PIDFile=/run/anope/anope.pid
ExecStart=/opt/anope/bin/services --confdir=/etc/anope/ --dbdir=/opt/anope/data --localedir=/opt/anope/locale --logdir=/var/log/anope --modulesdir=/opt/anope/lib --nofork
ExecReload=/bin/kill -1 $MAINPID
Restart=always
User=ircd
Group=ircd
[Install]
WantedBy=multi-user.target

15
roles/IRC/files/services/ircweb.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=AniNIX/IRC Web Client
After=network.target irc.service ircservices.service
[Service]
WorkingDirectory=/usr/local/src/KiwiIRC/
ExecStart=/bin/sh ./kiwi -f
ExecReload=/bin/kill -HUP $MAINPID
KillMode=control-group
Restart=always
User=ircd
Group=ircd
[Install]
WantedBy=multi-user.target

29
roles/IRC/tasks/bots.yml Normal file
View File

@ -0,0 +1,29 @@
---
- user:
name: "{{ item }}"
state: present
shell: "{{ daemon_shell | default('/sbin/nologin') }}"
local: yes
groups: ircd
loop:
- bitbot
- dsbridge
- theraven
- werewolf
# Install TheRaven package
- package:
name:
- TheRaven
- git:
repo: 'https://github.com/jesopo/bitbot.git'
dest: /usr/local/src/bitbot/
clone: yes
update: yes
- git:
repo:
-

102
roles/IRC/tasks/daemon.yml Normal file
View File

@ -0,0 +1,102 @@
---
- name: Ensure directory permissions
become: yes
file:
state: directory
path: "{{ item }}"
owner: ircd
group: ircd
mode: 0750
loop:
- "/var/log/inspircd"
- "/etc/inspircd"
- name: Generate dhparam
become: yes
command:
cmd: openssl dhparam -out /etc/inspircd/dhparams.pem 2048
creates: /etc/inspircd/dhparams.pem
- name: Permissions on dhparam
become: yes
file:
state: file
path: /etc/inspircd/dhparams.pem
owner: ircd
group: ircd
mode: 0640
- name: Add ircd user to ssl
become: yes
user:
name: ircd
groups: ssl
append: yes
- name: Copy service file
become: yes
register: servicesfile
copy:
src: services/irc.service
dest: /usr/lib/systemd/system/irc.service
owner: root
group: root
mode: 0644
- name: Reload services
when: servicesfile.changed
become: yes
systemd:
daemon_reload: true
- name: Copy config and fill in attributes
register: templatefiles
become: yes
template:
src: "inspircd/{{ item }}.j2"
dest: "/etc/inspircd/{{ item }}"
owner: ircd
group: ircd
mode: 0600
loop:
- inspircd.conf
- modules.conf
- links.conf
- opers.conf
- rules.txt
- motd.txt
- name: Tracking directory
become: yes
file:
dest: "/etc/inspircd/data/"
owner: ircd
group: ircd
mode: 0750
state: directory
- name: Ensure tracking files
become: yes
file:
dest: "/etc/inspircd/{{ item }}"
owner: ircd
group: ircd
mode: 0600
loop:
- 'data/xline.db'
- 'data/permchannels.conf'
- name: Ensure service running
become: yes
service:
name: irc
state: started
enabled: yes
- name: Reload on config change
become: yes
when: templatefiles.changed or servicesfile.changed
service:
name: irc
state: reloaded

18
roles/IRC/tasks/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: IRC packages
become: yes
package:
name:
- inspircd
- anope
- TheRaven
- include_tasks: daemon.yml
- include_tasks: services.yml
- include_tasks: web.yml
#- include_tasks: bots.yml

65
roles/IRC/tasks/services.yml Normal file
View File

@ -0,0 +1,65 @@
---
- name: Ensure directory permissions
become: yes
file:
state: directory
path: "{{ item }}"
owner: ircd
group: ircd
mode: 0700
loop:
- "/etc/anope"
- "/opt/anope"
- "/opt/anope/data"
- "/var/log/anope"
- name: Copy config and fill in attributes
register: templatefiles
become: yes
template:
src: "anope/{{ item }}.j2"
dest: "/etc/anope/{{ item }}"
owner: ircd
group: ircd
mode: 0600
loop:
- botserv.conf
- chanserv.conf
- global.conf
- hostserv.conf
- memoserv.conf
- modules.conf
- nickserv.conf
- operserv.conf
- services.conf
- name: Copy service file
become: yes
register: servicesfile
copy:
src: services/ircservices.service
dest: /usr/lib/systemd/system/ircservices.service
owner: root
group: root
mode: 0644
- name: Reload services
when: servicesfile.changed
become: yes
systemd:
daemon_reload: true
- name: Ensure service running
become: yes
service:
name: ircservices
state: started
enabled: yes
- name: Reload on config change
become: yes
when: templatefiles.changed or servicesfile.changed
service:
name: ircservices
state: reloaded

58
roles/IRC/tasks/web.yml Normal file
View File

@ -0,0 +1,58 @@
---
- name: Clone KiwiIRC
become: yes
git:
repo: https://github.com/prawnsalad/KiwiIRC.git
dest: /usr/local/src/KiwiIRC
update: no
# Need to capture AniNIX skinning of client as well as client build process.
- name: Update permissions
become: yes
file:
path: /usr/local/src/KiwiIRC
recurse: yes
owner: ircd
group: ircd
- name: Populate config
become: yes
register: config
template:
src: kiwiirc/config.js.j2
dest: /usr/local/src/KiwiIRC/config.js
owner: ircd
group: ircd
mode: 0600
- name: Copy service file
become: yes
register: servicesfile
copy:
src: services/ircweb.service
dest: /usr/lib/systemd/system/ircweb.service
owner: root
group: root
mode: 0644
- name: Reload services
when: servicesfile.changed
become: yes
systemd:
daemon_reload: true
- name: Ensure service running
become: yes
service:
name: ircweb
state: started
enabled: yes
- name: Reload on config change
become: yes
when: config.changed or servicesfile.changed
service:
name: ircweb
state: reloaded

404
roles/IRC/templates/anope/botserv.conf.j2 Normal file
View File

@ -0,0 +1,404 @@
/*
* Example configuration file for BotServ.
*/
/*
* First, create the service. If you do not want to have a 'BotServ', but do want the ability to have
* ChanServ assigned to channels for the use of fantasy commands, you may delete the below 'service' block.
*
* Note that deleting a 'service' block for a pseudoclient that is already online will not remove the
* client, the client becomes no different from a normal service bot, so you will have to use botserv/bot
* to manually delete the client.
*
* You may then want to map some of the below commands to other services, like placing botserv/bot on
* OperServ so you can delete the below client, and mapping assign and unassign to ChanServ so users are
* able to control whether or not ChanServ is in the channel. You may also want to map botserv/set/nobot
* to OperServ so you can restrict who can assign the other core service clients.
*/
service
{
/*
* The name of the BotServ client.
* If you change this value, you probably want to change the client directive in the configuration for the botserv module too.
*/
nick = "BotServ"
/*
* The username of the BotServ client.
*/
user = "services"
/*
* The hostname of the BotServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the BotServ client.
*/
gecos = "Bot Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core BotServ module.
*
* Provides essential functionality for BotServ.
*/
module
{
name = "botserv"
/*
* The name of the client that should be BotServ.
*
* This directive is optional.
*/
client = "BotServ"
/*
* The default bot options for newly registered channels. Note that changing these options
* will have no effect on channels which are already registered. The list must be separated
* by spaces.
*
* The options are:
* - dontkickops: Channel operators will be protected against BotServ kicks
* - dontkickvoices: Voiced users will be protected against BotServ kicks
* - greet: The channel's BotServ bot will greet incoming users that have set a greet
* in their NickServ settings
* - fantasy: Enables the use of BotServ fantasy commands in the channel
*
* This directive is optional, if left blank, there will be no defaults.
*/
defaults = "greet fantasy"
/*
* The minimum number of users there must be in a channel before the bot joins it. The best
* value for this setting is 1 or 2. This can be 0, the service bots will not part unless
* specifically unassigned, and will keep the channel open.
*/
minusers = 1
/*
* The bots are currently not affected by any modes or bans when they try to join a channel.
* But some people may want to make it act like a real bot, that is, for example, remove all
* the bans affecting the bot before joining the channel, remove a ban that affects the bot
* set by a user when it is in the channel, and so on. Since it consumes a bit more CPU
* time, you should not enable this on larger networks.
*
* This directive is optional.
*/
#smartjoin = yes
/*
* Modes to set on service bots when they join channels, comment this out for no modes
*
* This directive is optional.
*/
botmodes = "ao"
/*
* User modes to set on service bots. Read the comment about the service:modes directive
* on why this can be a bad idea to set.
*/
#botumodes = "i"
}
/*
* Core BotServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "BotServ"; name = "HELP"; command = "generic/help"; }
/*
* bs_assign
*
* Provides the commands:
* botserv/assign - Used to assign BotServ bots to channels
* botserv/unassign - Used to unassign BotServ bots
* botserv/set/nobot - Used to prohibit channels from being assigned BotServ bots.
*
* Used for assigning and unassigning bots to channels.
*/
module { name = "bs_assign" }
command { service = "BotServ"; name = "ASSIGN"; command = "botserv/assign"; }
command { service = "BotServ"; name = "UNASSIGN"; command = "botserv/unassign"; }
command { service = "BotServ"; name = "SET NOBOT"; command = "botserv/set/nobot"; permission = "botserv/set/nobot"; }
/*
* bs_autoassign
*
* Allows service bots to be automatically assigned to channels upon registration.
*/
#module
{
name = "bs_autoassign"
/*
* Automatically assign ChanServ to channels upon registration.
*/
bot = "ChanServ"
}
/*
* bs_badwords
*
* Provides the command botserv/badwords.
*
* Used for controlling the channel badword list.
*/
module
{
name = "bs_badwords"
/*
* The maximum number of entries a single bad words list can have.
*/
badwordsmax = 32
/*
* If set, BotServ will use case sensitive checking for badwords.
*
* This directive is optional.
*/
#casesensitive = yes
}
command { service = "BotServ"; name = "BADWORDS"; command = "botserv/badwords"; }
/*
* bs_bot
*
* Provides the command botserv/bot.
*
* Used for administrating BotServ bots.
*/
module { name = "bs_bot" }
command { service = "BotServ"; name = "BOT"; command = "botserv/bot"; permission = "botserv/bot"; }
/*
* bs_botlist
*
* Provides the command botserv/botlist.
*
* Used for listing all available bots.
*/
module { name = "bs_botlist" }
command { service = "BotServ"; name = "BOTLIST"; command = "botserv/botlist"; }
/*
* bs_control
*
* Provides the commands botserv/act and botserv/say.
*
* Used for making the bot message a channel.
*/
module { name = "bs_control" }
command { service = "BotServ"; name = "ACT"; command = "botserv/act"; }
command { service = "BotServ"; name = "SAY"; command = "botserv/say"; }
/*
* bs_info
*
* Provides the command botserv/info.
*
* Used for getting information on bots or channels.
*/
module { name = "bs_info" }
command { service = "BotServ"; name = "INFO"; command = "botserv/info"; }
/*
* bs_kick
*
* Provides the commands:
* botserv/kick - Dummy help wrapper for the KICK command.
* botserv/kick/amsg - Configures BotServ's AMSG kicker.
* botserv/kick/badwords - Configures BotServ's badwords kicker.
* botserv/kick/bolds - Configures BotServ's bold text kiceker.
* botserv/kick/caps - Configures BotServ's capital letters kicker.
* botserv/kick/colors - Configures BotServ's color kicker.
* botserv/kick/flood - Configures BotServ's flood kicker.
* botserv/kick/italics - Configures BotServ's italics kicker.
* botserv/kick/repeat - Configures BotServ's repeat kicker.
* botserv/kick/reverses - Configures BotServ's reverse kicker.
* botserv/kick/underlines - Configures BotServ's reverse kicker.
* botserv/set/dontkickops - Used for preventing BotServ from kicking channel operators.
* botserv/set/dontkickvoices - Used for preventing BotServ from kicking voices.
*
* Used for configuring what bots should kick for.
*/
module
{
name = "bs_kick"
/*
* The amount of time that data for a user is valid in BotServ. If the data exceeds this time,
* it is reset or deleted depending on the case. Do not set it too high, otherwise your
* resources will be slightly affected.
*/
keepdata = 10m
/*
* If set, the bots will use a kick reason that does not state the word when it is kicking.
* This is especially useful if you have young people on your network.
*
* This directive is optional.
*/
gentlebadwordreason = yes
}
command { service = "BotServ"; name = "KICK"; command = "botserv/kick"; }
command { service = "BotServ"; name = "KICK AMSG"; command = "botserv/kick/amsg"; }
command { service = "BotServ"; name = "KICK BADWORDS"; command = "botserv/kick/badwords"; }
command { service = "BotServ"; name = "KICK BOLDS"; command = "botserv/kick/bolds"; }
command { service = "BotServ"; name = "KICK CAPS"; command = "botserv/kick/caps"; }
command { service = "BotServ"; name = "KICK COLORS"; command = "botserv/kick/colors"; }
command { service = "BotServ"; name = "KICK FLOOD"; command = "botserv/kick/flood"; }
command { service = "BotServ"; name = "KICK ITALICS"; command = "botserv/kick/italics"; }
command { service = "BotServ"; name = "KICK REPEAT"; command = "botserv/kick/repeat"; }
command { service = "BotServ"; name = "KICK REVERSES"; command = "botserv/kick/reverses"; }
command { service = "BotServ"; name = "KICK UNDERLINES"; command = "botserv/kick/underlines"; }
command { service = "BotServ"; name = "SET DONTKICKOPS"; command = "botserv/set/dontkickops"; }
command { service = "BotServ"; name = "SET DONTKICKVOICES"; command = "botserv/set/dontkickvoices"; }
/*
* bs_set
*
* Provides the commands:
* botserv/set/private - Used to prohibit specific BotServ bots from being assigned to channels.
*/
module { name = "bs_set" }
command { service = "BotServ"; name = "SET"; command = "botserv/set"; }
command { service = "BotServ"; name = "SET BANEXPIRE"; command = "botserv/set/banexpire"; }
command { service = "BotServ"; name = "SET PRIVATE"; command = "botserv/set/private"; permission = "botserv/set/private"; }
/*
* greet
*
* Provides the commands:
* botserv/set/greet - Used for enabling or disabling BotServ's greet messages in a channel.
* nickserv/set/greet, nickserv/saset/greet - Used for changing a users greet message, which is displayed when they enter channels.
*/
module { name = "greet" }
command { service = "BotServ"; name = "SET GREET"; command = "botserv/set/greet"; }
command { service = "NickServ"; name = "SET GREET"; command = "nickserv/set/greet"; }
command { service = "NickServ"; name = "SASET GREET"; command = "nickserv/saset/greet"; permission = "nickserv/saset/greet"; }
/*
* GREET privilege.
*
* Used by 'greet'.
*
* Users with this privilege have their greet shown when they join channels.
*/
privilege
{
name = "GREET"
rank = 40
level = 5
flag = "g"
xop = "AOP"
}
/*
* fantasy
*
* Allows 'fantaisist' commands to be used in channels.
*
* Provides the commands:
* botserv/set/fantasy - Used for enabling or disabling BotServ's fantasist commands.
*/
module
{
name = "fantasy"
/*
* Defines the prefixes for fantasy commands in channels. One of these characters will have to be prepended
* to all fantasy commands. If you choose "!", for example, fantasy commands will be "!kick",
* "!op", etc. This directive is optional, if left out, the default fantasy character is "!".
*/
#fantasycharacter = "!."
}
command { service = "BotServ"; name = "SET FANTASY"; command = "botserv/set/fantasy"; }
/*
* Fantasy commands
*
* Fantasy commands can be executed in channels that have a BotServ bot by prefixing the
* command with one of the fantasy characters configured in botserv's fantasycharacter
* directive.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
fantasy { name = "ACCESS"; command = "chanserv/access"; }
fantasy { name = "AKICK"; command = "chanserv/akick"; }
fantasy { name = "AOP"; command = "chanserv/xop"; }
fantasy { name = "BAN"; command = "chanserv/ban"; }
fantasy { name = "CLONE"; command = "chanserv/clone"; }
fantasy { name = "DEHALFOP"; command = "chanserv/modes"; }
fantasy { name = "DEOP"; command = "chanserv/modes"; }
fantasy { name = "DEOWNER"; command = "chanserv/modes"; }
fantasy { name = "DEPROTECT"; command = "chanserv/modes"; }
fantasy { name = "DEVOICE"; command = "chanserv/modes"; }
fantasy { name = "DOWN"; command = "chanserv/down"; }
fantasy { name = "ENFORCE"; command = "chanserv/enforce"; }
fantasy { name = "ENTRYMSG"; command = "chanserv/entrymsg"; }
fantasy { name = "FLAGS"; command = "chanserv/flags"; }
fantasy { name = "HALFOP"; command = "chanserv/modes"; }
fantasy { name = "HELP"; command = "generic/help"; prepend_channel = false; }
fantasy { name = "HOP"; command = "chanserv/xop"; }
fantasy { name = "INFO"; command = "chanserv/info"; prepend_channel = false; }
fantasy { name = "INVITE"; command = "chanserv/invite"; }
fantasy { name = "K"; command = "chanserv/kick"; }
fantasy { name = "KB"; command = "chanserv/ban"; }
fantasy { name = "KICK"; command = "chanserv/kick"; }
fantasy { name = "LEVELS"; command = "chanserv/levels"; }
fantasy { name = "LIST"; command = "chanserv/list"; prepend_channel = false; }
fantasy { name = "LOG"; command = "chanserv/log"; }
fantasy { name = "MODE"; command = "chanserv/mode"; }
fantasy { name = "MUTE"; command = "chanserv/ban"; kick = no; mode = "QUIET"; }
fantasy { name = "OP"; command = "chanserv/modes"; }
fantasy { name = "OWNER"; command = "chanserv/modes"; }
fantasy { name = "PROTECT"; command = "chanserv/modes"; }
fantasy { name = "QOP"; command = "chanserv/xop"; }
fantasy { name = "SEEN"; command = "chanserv/seen"; prepend_channel = false; }
fantasy { name = "SOP"; command = "chanserv/xop"; }
fantasy { name = "STATUS"; command = "chanserv/status"; }
fantasy { name = "SUSPEND"; command = "chanserv/suspend"; permission = "chanserv/suspend"; }
fantasy { name = "SYNC"; command = "chanserv/sync"; }
fantasy { name = "TOPIC"; command = "chanserv/topic"; }
fantasy { name = "UNBAN"; command = "chanserv/unban"; }
fantasy { name = "UNSUSPEND"; command = "chanserv/unsuspend"; permission = "chanserv/suspend"; }
fantasy { name = "UP"; command = "chanserv/up"; }
fantasy { name = "VOICE"; command = "chanserv/modes"; }
fantasy { name = "VOP"; command = "chanserv/xop"; }

1311
roles/IRC/templates/anope/chanserv.conf.j2 Executable file
View File

File diff suppressed because it is too large Load Diff

115
roles/IRC/templates/anope/global.conf.j2 Executable file
View File

@ -0,0 +1,115 @@
/*
* Example configuration file for Global.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the Global client.
* If you change this value, you probably want to change the client directive in the configuration for the global module too.
*/
nick = "Global"
/*
* The username of the Global client.
*/
user = "services"
/*
* The hostname of the Global client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the Global client.
*/
gecos = "Global Noticer"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core Global module.
*
* Provides essential functionality for Global.
*/
module
{
name = "global"
/*
* The name of the client that should be Global.
*/
client = "Global"
/*
* This is the global message that will be sent when Services are being
* shutdown/restarted.
*
* This directive is optional.
*/
#globaloncycledown = "Services are restarting, they will be back shortly - please be good while we're gone"
/*
* This is the global message that will be sent when Services (re)join the
* network.
*
* This directive is optional.
*/
#globaloncycleup = "Services are now back online - have a nice day"
/*
* If set, Services will hide the IRC Operator's nick in a global
* message/notice.
*
* This directive is optional.
*/
#anonymousglobal = yes
}
/*
* Core Global commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "Global"; name = "HELP"; command = "generic/help"; }
/*
* gl_global
*
* Provides the command global/global.
*
* Used for sending a message to every online user.
*/
module { name = "gl_global" }
command { service = "Global"; name = "GLOBAL"; command = "global/global"; permission = "global/global"; }

188
roles/IRC/templates/anope/hostserv.conf.j2 Executable file
View File

@ -0,0 +1,188 @@
/*
* Example configuration file for HostServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the HostServ client.
* If you change this value, you probably want to change the client directive in the configuration for the hostserv module too.
*/
nick = "HostServ"
/*
* The username of the HostServ client.
*/
user = "services"
/*
* The hostname of the HostServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the HostServ client.
*/
gecos = "vHost Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core HostServ module.
*
* Provides essential functionality for HostServ.
*/
module
{
name = "hostserv"
/*
* The name of the client that should be HostServ.
*/
client = "HostServ"
/*
* If enabled, vhosts are activated on users immediately when they are set.
*/
activate_on_set = false
}
/*
* Core HostServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "HostServ"; name = "HELP"; command = "generic/help"; }
/*
* hs_del
*
* Provides the commands hostserv/del and hostserv/delall.
*
* Used for removing users' vHosts.
*/
module { name = "hs_del" }
command { service = "HostServ"; name = "DEL"; command = "hostserv/del"; permission = "hostserv/del"; }
command { service = "HostServ"; name = "DELALL"; command = "hostserv/delall"; permission = "hostserv/del"; }
/*
* hs_group
*
* Provides the command hostserv/group.
*
* Used for grouping one vHost to many nicks.
*/
module
{
name = "hs_group"
/*
* Upon nickserv/group, this option syncs the nick's main vHost to the grouped nick.
*/
syncongroup = false
/*
* This makes vhosts act as if they are per account.
*/
synconset = false
}
command { service = "HostServ"; name = "GROUP"; command = "hostserv/group"; }
/*
* hs_list
*
* Provides the command hostserv/list.
*
* Used for listing actively set vHosts.
*/
module { name = "hs_list" }
command { service = "HostServ"; name = "LIST"; command = "hostserv/list"; permission = "hostserv/list"; }
/*
* hs_off
*
* Provides the command hostserv/off.
*
* Used for turning off your vHost.
*/
module { name = "hs_off" }
command { service = "HostServ"; name = "OFF"; command = "hostserv/off"; }
/*
* hs_on
*
* Provides the command hostserv/on.
*
* Used for turning on your vHost.
*/
module { name = "hs_on" }
command { service = "HostServ"; name = "ON"; command = "hostserv/on"; }
/*
* hs_request
*
* Provides the commands hostserv/request, hostserv/activate, hostserv/reject, and hostserv/waiting.
*
* Used to manage vHosts requested by users.
*/
module
{
name = "hs_request"
/*
* If set, Services will send a memo to the user requesting a vHost when it's been
* approved or rejected.
*/
memouser = yes
/*
* If set, Services will send a memo to all Services staff when a new vHost is requested.
*/
memooper = yes
}
command { service = "HostServ"; name = "REQUEST"; command = "hostserv/request"; }
command { service = "HostServ"; name = "ACTIVATE"; command = "hostserv/activate"; permission = "hostserv/set"; }
command { service = "HostServ"; name = "REJECT"; command = "hostserv/reject"; permission = "hostserv/set"; }
command { service = "HostServ"; name = "WAITING"; command = "hostserv/waiting"; permission = "hostserv/set"; }
/*
* hs_set
*
* Provides the commands hostserv/set and hostserv/setall.
*
* Used for setting users' vHosts.
*/
module { name = "hs_set" }
command { service = "HostServ"; name = "SET"; command = "hostserv/set"; permission = "hostserv/set"; }
command { service = "HostServ"; name = "SETALL"; command = "hostserv/setall"; permission = "hostserv/set"; }

243
roles/IRC/templates/anope/memoserv.conf.j2 Normal file
View File

@ -0,0 +1,243 @@
/*
* Example configuration file for MemoServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the MemoServ client.
* If you change this value, you probably want to change the client directive in the configuration for the memoserv module too.
*/
nick = "MemoServ"
/*
* The username of the MemoServ client.
*/
user = "services"
/*
* The hostname of the MemoServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the MemoServ client.
*/
gecos = "Memo Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core MemoServ module.
*
* Provides essential functionality for MemoServ.
*/
module
{
name = "memoserv"
/*
* The name of the client that should be MemoServ. Clients are configured
* with the service blocks.
*/
client = "MemoServ"
/*
* The maximum number of memos a user is allowed to keep by default. Normal users may set the
* limit anywhere between 0 and this value. Services Admins can change it to any value or
* disable it.
*
* This directive is optional, but recommended. If not set, the limit is disabled
* by default, and normal users can set any limit they want.
*/
maxmemos = 20
/*
* The delay between consecutive uses of the MemoServ SEND command. This can help prevent spam
* as well as denial-of-service attacks from sending large numbers of memos and filling up disk
* space (and memory). The default 3-second wait means a maximum average of 150 bytes of memo
* per second per user under the current IRC protocol.
*
* This directive is optional, but recommended.
*/
senddelay = 3s
}
/*
* Core MemoServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "MemoServ"; name = "HELP"; command = "generic/help"; }
/*
* ms_cancel
*
* Provides the command memoserv/cancel.
*
* Used to cancel memos already sent but not yet read.
*/
module { name = "ms_cancel" }
command { service = "MemoServ"; name = "CANCEL"; command = "memoserv/cancel"; }
/*
* ms_check
*
* Provides the command memoserv/check.
*
* Used to check if a sent memo has been read.
*/
module { name = "ms_check" }
command { service = "MemoServ"; name = "CHECK"; command = "memoserv/check"; }
/*
* ms_del
*
* Provides the command memoserv/del.
*
* Used to delete your memos.
*/
module { name = "ms_del" }
command { service = "MemoServ"; name = "DEL"; command = "memoserv/del"; }
/*
* ms_ignore
*
* Provides the command memoserv/ignore.
*
* Used to ignore memos from specific users.
*/
module
{
name = "ms_ignore"
/*
* The maximum number of entries that may be on a memo ignore list.
*
* This directive is optional.
*/
max = 32
}
command { service = "MemoServ"; name = "IGNORE"; command = "memoserv/ignore"; }
/*
* ms_info
*
* Provides the command memoserv/info.
*
* Used to show memo related information about an account or a channel.
*/
module { name = "ms_info" }
command { service = "MemoServ"; name = "INFO"; command = "memoserv/info"; }
/*
* ms_list
*
* Provides the command memoserv/list.
*
* Used to list your current memos.
*/
module { name = "ms_list" }
command { service = "MemoServ"; name = "LIST"; command = "memoserv/list"; }
/*
* ms_read
*
* Provides the command memoserv/read.
*
* Used to read your memos.
*/
module { name = "ms_read" }
command { service = "MemoServ"; name = "READ"; command = "memoserv/read"; }
/*
* ms_rsend
*
* Provides the command memoserv/rsend.
*
* Used to send a memo requiring a receipt be sent back once it is read.
*
* Requires configuring memoserv:memoreceipt.
*/
#module
{
name = "ms_rsend"
/*
* Only allow Services Operators to use ms_rsend.
*
* This directive is optional.
*/
operonly = false
}
#command { service = "MemoServ"; name = "RSEND"; command = "memoserv/rsend"; }
/*
* ms_send
*
* Provides the command memoserv/send.
*
* Used to send memos.
*/
module { name = "ms_send" }
command { service = "MemoServ"; name = "SEND"; command = "memoserv/send"; }
/*
* ms_sendall
*
* Provides the command memoserv/sendall.
*
* Used to send a mass memo to every registered user.
*/
module { name = "ms_sendall" }
command { service = "MemoServ"; name = "SENDALL"; command = "memoserv/sendall"; permission = "memoserv/sendall"; }
/*
* ms_set
*
* Provides the command memoserv/set.
*
* Used to set settings such as how you are notified of new memos, and your memo limit.
*/
module { name = "ms_set" }
command { service = "MemoServ"; name = "SET"; command = "memoserv/set"; }
/*
* ms_staff
*
* Provides the command memoserv/staff.
*
* Used to send a memo to all registered staff members.
*/
module { name = "ms_staff" }
command { service = "MemoServ"; name = "STAFF"; command = "memoserv/staff"; permission = "memoserv/staff"; }

797
roles/IRC/templates/anope/modules.conf.j2 Normal file
View File

@ -0,0 +1,797 @@
/*
* [OPTIONAL] Non-Core Modules
*
* The following blocks are used to load all non-core modules, including 3rd-party modules.
* Modules can be prevented from loading by commenting out the line, other modules can be added by
* adding a module block. These modules will be loaded prior to Services connecting to your network.
*
* Note that some of these modules are labeled EXTRA, and must be enabled prior to compiling by
* running the 'extras' script on Linux and UNIX.
*/
/*
* help
*
* Provides the command generic/help.
*
* This is a generic help command that can be used with any client.
*/
module { name = "help" }
/*
* m_ldap [EXTRA]
*
* This module allows other modules to use LDAP. By itself, this module does nothing useful.
*/
module
{
name = "m_ldap"
ldap
{
server = "ldap://127.0.0.1"
port = 389
/*
* Admin credentials used for performing searches and adding users.
*/
admin_binddn = "uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }}"
admin_password = "{{ secrets['Sora']['bindpassword'] }}"
}
}
/*
* m_ldap_authentication [EXTRA]
*
* This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use
* LDAP to authenticate users. Requires m_ldap.
*/
module
{
name = "m_ldap_authentication"
/*
* The distinguished name used for searching for users's accounts.
*/
basedn = "{{ ldap['userou'] }},{{ ldap['orgdn'] }}"
/*
* The search filter used to look up users's accounts.
* %account is replaced with the user's account.
* %object_class is replaced with the object_class configured below.
*/
search_filter = "uid=%account"
/*
* The object class used by LDAP to store user account information.
* This is used for adding new users to LDAP if registration is allowed.
*/
object_class = "organizationalPerson"
/*
* The attribute value used for account names.
*/
username_attribute = "uid"
/*
* The attribute value used for email addresses.
* This directive is optional.
*/
email_attribute = "email"
/*
* The attribute value used for passwords.
* Used when registering new accounts in LDAP.
*/
password_attribute = "userPassword"
/*
* If set, the reason to give the users who try to register with nickserv,
* including nick registration from grouping.
*
* If not set, then registration is not blocked.
*/
#disable_register_reason = "To register on this network, contact a netadmin in #lobby. They will need to add an AniNIX/Sora LDAP account for you."
/*
* If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
* If not set, then email changing is not blocked.
*/
disable_email_reason = "Not allowed -- this network does not use email for account management."
}
/*
* m_dns
*
* Adds support for the DNS protocol. By itself this module does nothing useful,
* but other modules such as m_dnsbl and os_dns require this.
*/
#module
{
name = "m_dns"
/*
* The nameserver to use for resolving hostnames, must be an IP or a resolver configuration file.
* The below should work fine on all unix like systems. Windows users will have to find their nameservers
* from ipconfig /all and put the IP here.
*/
nameserver = "/etc/resolv.conf"
#nameserver = "127.0.0.1"
/*
* How long to wait in seconds before a DNS query has timed out.
*/
timeout = 5
/* Only edit below if you are expecting to use os_dns or otherwise answer DNS queries. */
/*
* The IP and port services use to listen for DNS queries.
* Note that ports less than 1024 are privileged on UNIX/Linux systems, and
* require Anope to be started as root. If you do this, it is recommended you
* set options:user and options:group so Anope can change users after binding
* to this port.
*/
ip = "0.0.0.0"
port = 53
/*
* SOA record information.
*/
/* E-mail address of the DNS administrator. */
admin = "admin@example.com"
/* This should be the names of the public facing nameservers serving the records. */
nameservers = "ns1.example.com ns2.example.com"
/* The time slave servers are allowed to cache. This should be reasonably low
* if you want your records to be updated without much delay.
*/
refresh = 3600
/* A notify block. There should probably be one per nameserver listed in 'nameservers'.
*/
notify
{
ip = "192.0.2.0"
port = 53
}
}
/*
* m_dnsbl
*
* Allows configurable DNS blacklists to check connecting users against. If a user
* is found on the blacklist they will be immediately banned. This is a crucial module
* to prevent bot attacks.
*/
#module
{
name = "m_dnsbl"
/*
* If set, Services will check clients against the DNSBLs when services connect to its uplink.
* This is not recommended, and on large networks will open a very large amount of DNS queries.
* Whilst services are not drastically affected by this, your nameserver/DNSBL might care.
*/
check_on_connect = no
/*
* If set, Services will check clients when coming back from a netsplit. This can cause a large number
* of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL
* might care.
*/
check_on_netburst = no
/*
* If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
*/
add_to_akill = yes
blacklist
{
/* Name of the blacklist. */
name = "rbl.efnetrbl.org"
/* How long to set the ban for. */
time = 4h
/* Reason for akill.
* %n is the nick of the user
* %u is the ident/username of the user
* %g is the realname of the user
* %h is the hostname of the user
* %i is the IP of the user
* %r is the reply reason (configured below). Will be nothing if not configured.
* %N is the network name set in networkinfo:networkname
*/
reason = "You are listed in the efnet RBL, visit http://rbl.efnetrbl.org/?i=%i for info"
/* Replies to ban and their reason. If no relies are configured, all replies get banned. */
reply
{
code = 1
reason = "Open Proxy"
}
#reply
{
code = 2
reason = "spamtrap666"
}
#reply
{
code = 3
reason = "spamtrap50"
}
reply
{
code = 4
reason = "TOR"
/*
* If set, users identified to services at the time the result comes back
* will not be banned.
*/
#allow_account = yes
}
reply
{
code = 5
reason = "Drones / Flooding"
}
}
#blacklist
{
name = "dnsbl.dronebl.org"
time = 4h
reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=%N"
}
/* Exempt localhost from DNSBL checks */
exempt { ip = "127.0.0.1" }
}
/*
* m_helpchan
*
* Gives users who are op in the specified help channel usermode +h (helpop).
*/
#module
{
name = "m_helpchan"
helpchannel = "#help"
}
/*
* m_httpd
*
* Allows services to serve web pages. By itself, this module does nothing useful.
*
* Note that using this will allow users to get the IP of your services.
* To prevent this we recommend using a reverse proxy or a tunnel.
*/
#module
{
name = "m_httpd"
httpd
{
/* Name of this service. */
name = "httpd/main"
/* IP to listen on. */
ip = "0.0.0.0"
/* Port to listen on. */
port = 8080
/* Time before connections to this server are timed out. */
timeout = 30
/* Listen using SSL. Requires an SSL module. */
#ssl = yes
/* If you are using a reverse proxy that sends one of the
* extforward_headers set below, set this to its IP.
* This allows services to obtain the real IP of users by
* reading the forwarded-for HTTP header.
*/
#extforward_ip = "192.168.0.255"
/* The header to look for. These probably work as is. */
extforward_header = "X-Forwarded-For Forwarded-For"
}
}
/*
* m_ldap_oper [EXTRA]
*
* This module dynamically ties users to Anope opertypes when they identify
* via LDAP group membership. Requires m_ldap.
*
* Note that this doesn't give the user privileges on the IRCd, only in Services.
*/
#module
{
name = "m_ldap_oper"
/*
* An optional binddn to use when searching for groups.
* %a is replaced with the account name of the user.
*/
#binddn = "cn=Manager,dc=anope,dc=org"
/*
* An optional password to bind with.
*/
#password = "secret"
/*
* The base DN where the groups are.
*/
basedn = "ou=groups,dc=anope,dc=org"
/*
* The filter to use when searching for users.
* %a is replaced with the account name of the user.
*/
filter = "(member=uid=%a,ou=users,dc=anope,dc=org)"
/*
* The attribute of the group that is the name of the opertype.
* The cn attribute should match a known opertype in the config.
*/
opertype_attribute = "cn"
}
/*
* m_mysql [EXTRA]
*
* This module allows other modules to use MySQL.
*/
#module
{
name = "m_mysql"
mysql
{
/* The name of this service. */
name = "mysql/main"
database = "anope"
server = "127.0.0.1"
username = "anope"
password =
port = 3306
}
}
/*
* m_redis
*
* This module allows other modules to use Redis.
*/
#module
{
name = "m_redis"
/* A redis database */
redis
{
/* The name of this service */
name = "redis/main"
/*
* The redis database to use. New connections default to 0.
*/
db = 0
ip = "127.0.0.1"
port = 6379
}
}
/*
* m_regex_pcre [EXTRA]
*
* Provides the regex engine regex/pcre, which uses the Perl Compatible Regular Expressions library.
*/
#module { name = "m_regex_pcre" }
/*
* m_regex_posix [EXTRA]
*
* Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions.
* This is likely the only regex module you will not need extra libraries for.
*/
#module { name = "m_regex_posix" }
/*
* m_regex_tre [EXTRA]
*
* Provides the regex engine regex/tre, which uses the TRE regex library.
*/
#module { name = "m_regex_tre" }
/*
* m_rewrite
*
* Allows rewriting commands sent to/from clients.
*/
#module { name = "m_rewrite" }
#command
{
service = "ChanServ"; name = "CLEAR"; command = "rewrite"
/* Enable m_rewrite. */
rewrite = true
/* Source message to match. A $ can be used to match anything. */
rewrite_source = "CLEAR $ USERS"
/*
* Message to rewrite the source message to. A $ followed by a number, eg $0, gets
* replaced by the number-th word from the source_message, starting from 0.
*/
rewrite_target = "KICK $1 *"
/*
* The command description. This only shows up in HELP's output.
* Comment this option to prevent the command from showing in the
* HELP command.
*/
rewrite_description = "Clears all users from a channel"
}
/*
* m_proxyscan
*
* This module allows you to scan connecting clients for open proxies.
* Note that using this will allow users to get the IP of your services.
*
* Currently the two supported proxy types are HTTP and SOCKS5.
*
* The proxy scanner works by attempting to connect to clients when they
* connect to the network, and if they have a proxy running instruct it to connect
* back to services. If services are able to connect through the proxy to itself
* then it knows it is an insecure proxy, and will ban it.
*/
#module
{
name = "m_proxyscan"
/*
* The target IP services tells the proxy to connect back to. This must be a publicly
* available IP that remote proxies can connect to.
*/
#target_ip = "127.0.0.1"
/*
* The port services tells the proxy to connect to.
*/
target_port = 7226
/*
* The listen IP services listen on for incoming connections from suspected proxies.
* This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT).
*/
#listen_ip = "127.0.0.1"
/*
* The port services should listen on for incoming connections from suspected proxies.
* This most likely will be the same as target_port.
*/
listen_port = 7226
/*
* An optional notice sent to clients upon connect.
*/
#connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately."
/*
* Who the notice should be sent from.
*/
#connect_source = "OperServ"
/*
* If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being filled up by bots.
*/
add_to_akill = yes
/*
* How long before connections should be timed out.
*/
timeout = 5
proxyscan
{
/* The type of proxy to check for. A comma separated list is allowed. */
type = "HTTP"
/* The ports to check. */
port = "80,8080"
/* How long to set the ban for. */
time = 4h
/*
* The reason to ban the user for.
* %h is replaced with the type of proxy found.
* %i is replaced with the IP of proxy found.
* %p is replaced with the port.
*/
reason = "You have an open proxy running on your host (%t:%i:%p)"
}
}
/*
* m_sasl
*
* Some IRCds allow "SASL" authentication to let users identify to Services
* during the IRCd user registration process. If this module is loaded, Services will allow
* authenticating users through this mechanism. Supported mechanisms are:
* PLAIN, EXTERNAL.
*/
module { name = "m_sasl" }
/*
* m_sasl_dh-aes [EXTRA]
*
* Add the DH-AES mechanism to SASL.
* Requires m_sasl to be loaded.
* Requires openssl.
*/
#module { name = "m_sasl_dh-aes" }
/*
* m_sasl_dh-blowfish [EXTRA]
*
* Add the DH-BLOWFISH mechanism to SASL.
* Requires m_sasl to be loaded.
* Requires openssl.
*/
#module { name = "m_sasl_dh-blowfish" }
/*
* m_ssl_gnutls [EXTRA]
*
* This module provides SSL services to Anope using GnuTLS, for example to
* connect to the uplink server(s) via SSL.
*
* You may only load either m_ssl_gnutls or m_ssl_openssl, bot not both.
*/
#module
{
name = "m_ssl_gnutls"
/*
* An optional certificate and key for m_ssl_gnutls to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* certtool --generate-privkey --bits 2048 --outfile anope.key
* certtool --generate-self-signed --load-privkey anope.key --outfile anope.crt
*
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* Diffie-Hellman parameters to use when acting as a server. This is only
* required for TLS servers that want to use ephemeral DH cipher suites.
*
* This is NOT required for Anope to connect to the uplink server(s) via SSL.
*
* You can generate DH parameters by using:
*
* certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
*
*/
# dhparams = "data/dhparams.pem"
}
/*
* m_ssl_openssl [EXTRA]
*
* This module provides SSL services to Anope using OpenSSL, for example to
* connect to the uplink server(s) via SSL.
*
* You may only load either m_ssl_openssl or m_ssl_gnutls, bot not both.
*
*/
#module
{
name = "m_ssl_openssl"
/*
* An optional certificate and key for m_ssl_openssl to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* openssl genrsa -out anope.key 2048
* openssl req -new -x509 -key anope.key -out anope.crt -days 1095
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* As of 2014 SSL 3.0 is considered insecure, but it might be enabled
* on some systems by default for compatibility reasons.
* You can use the following option to enable or disable it explicitly.
* Leaving this option not set defaults to the default system behavior.
*/
sslv3 = no
}
/*
* m_sql_authentication [EXTRA]
*
* This module allows authenticating users against an external SQL database using a custom
* query.
*/
#module
{
name = "m_sql_authentication"
/* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
engine = "mysql/main"
/* Query to execute to authenticate. A non empty result from this query is considered a success,
* and the user will be authenticated.
*
* @a@ is replaced with the user's account name
* @p@ is replaced with the user's password
* @n@ is replaced with the user's nickname
* @i@ is replaced with the user's IP
*
* Note that @n@ and @i@ may not always exist in the case of a user identifying outside of the normal
* nickserv/identify command, such as through the web panel.
*
* Furthermore, if a field named email is returned from this query the user's email is
* set to its value.
*
*
* We've included some example queries for some popular website/forum systems.
*
* Drupal 6: "SELECT `mail` AS `email` FROM `users` WHERE `name` = @a@ AND `pass` = MD5(@p@) AND `status` = 1"
* e107 cms: "SELECT `user_email` AS `email` FROM `e107_user` WHERE `user_loginname` = @a@ AND `user_password` = MD5(@p@)"
* SMF Forum: "SELECT `email_address` AS `email` FROM `smf_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))"
* vBulletin: "SELECT `email` FROM `user` WHERE `username` = @a@ AND `password` = MD5(CONCAT(MD5(@p@), `salt`))"
* IP.Board: "SELECT `email` FROM `ibf_members` WHERE `name` = @a@ AND `members_pass_hash` = MD5(CONCAT(MD5(`members_pass_salt`), MD5(@p@)))"
*/
query = "SELECT `email_addr` AS `email` FROM `my_users` WHERE `username` = @a@ AND `password` = MD5(CONCAT('salt', @p@))"
/*
* If set, the reason to give the users who try to "/msg NickServ REGISTER".
* If not set, then registration is not blocked.
*/
#disable_reason = "To register on this network visit http://some.misconfigured.site/register"
/*
* If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
* If not set, then email changing is not blocked.
*/
#disable_email_reason = "To change your email address visit http://some.misconfigured.site"
}
/*
* m_sql_log [EXTRA]
*
* This module adds an additional target option to log{} blocks
* that allows logging Service's logs to SQL. To log to SQL, add
* the SQL service name to log:targets prefixed by sql_log:. For
* example:
*
* log
* {
* targets = "services.log sql_log:mysql/main"
* ...
* }
*
* By default this module logs to the table `logs`, and will create
* it if it doesn't exist. This module does not create any indexes (keys)
* on the table and it is recommended you add them yourself as necessary.
*/
#module { name = "m_sql_log" }
/*
* m_sql_oper [EXTRA]
*
* This module allows granting users services operator privileges and possibly IRC Operator
* privileges based on an external SQL database using a custom query.
*/
#module
{
name = "m_sql_oper"
/* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
engine = "mysql/main"
/* Query to execute to determine if a user should have operator privileges.
* A field named opertype must be returned in order to link the user to their oper type.
* The oper types must be configured earlier in services.conf.
*
* If a field named modes is returned from this query then those modes are set on the user.
* Without this, only a simple +o is sent.
*
* @a@ is replaced with the user's account name
* @i@ is replaced with the user's IP
*/
query = "SELECT `opertype` FROM `my_users` WHERE `user_name` = @a@"
}
/*
* m_sqlite [EXTRA]
*
* This module allows other modules to use SQLite.
*/
#module
{
name = "m_sqlite"
/* A SQLite database */
sqlite
{
/* The name of this service. */
name = "sqlite/main"
/* The database name, it will be created if it does not exist. */
database = "anope.db"
}
}
/*
* webcpanel
*
* This module creates a web configuration panel that allows users and operators to perform any task
* as they could over IRC. If you are using the default configuration you should be able to access
* this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on.
*
* This module requires m_httpd.
*/
#module
{
name = "webcpanel"
/* Web server to use. */
server = "httpd/main";
/* Template to use. */
template = "default";
/* Page title. */
title = "Anope IRC Services";
}
/*
* m_xmlrpc
*
* Allows remote applications (websites) to execute queries in real time to retrieve data from Anope.
* By itself this module does nothing, but allows other modules (m_xmlrpc_main) to receive and send XMLRPC queries.
*/
#module
{
name = "m_xmlrpc"
/* Web service to use. Requires m_httpd. */
server = "httpd/main"
}
/*
* m_xmlrpc_main
*
* Adds the main XMLRPC core functions.
* Requires m_xmlrpc.
*/
#module { name = "m_xmlrpc_main" }

662
roles/IRC/templates/anope/nickserv.conf.j2 Executable file
View File

@ -0,0 +1,662 @@
/*
* Example configuration file for NickServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the NickServ client.
* If you change this value, you probably want to change the client directive in the configuration for the nickserv module too.
*/
nick = "NickServ"
/*
* The username of the NickServ client.
*/
user = "services"
/*
* The hostname of the NickServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the NickServ client.
*/
gecos = "Nickname Registration Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core NickServ module.
*
* Provides essential functionality for NickServ.
*/
module
{
name = "nickserv"
/*
* The name of the client that should be NickServ.
*/
client = "NickServ"
/*
* Force users to give an e-mail address when they register a nick.
*
* This directive defaults to "yes" and is recommended to be enabled. This is required if e-mail registration is enabled.
*/
forceemail = no
/*
* Require users who change their email address to confirm they
* own their new email.
*/
confirmemailchanges = no
/*
* A message sent to users on connect if they use an unregistered nick.
*
* This directive is optional.
*/
unregistered_notice = "Your nickname is not registered. If you would like it registered, contact a netadmin (identified by ^) in #lobby to get it registered."
/*
* The default options for newly registered nicks. Note that changing these options
* will have no effect on nicks which are already registered. The list must be separated
* by spaces.
*
* The options are:
* - killprotect: Kill nick if not identified within 60 seconds
* - kill_quick: Kill nick if not identified within 20 seconds, this one overrides the above
* option and the above must be specified with this one
* - ns_secure: Enable nickname security, requiring the nick's password before any operations
* can be done on it
* - ns_private: Hide the nick from NickServ's LIST command
* - hide_email: Hide's the nick's e-mail address from NickServ's INFO command
* - hide_mask: Hide's the nick's last or current user@host from NickServ's INFO command
* - hide_quit: Hide's the nick's last quit message
* - memo_signon: Notify user if they have a new memo when they sign into the nick
* - memo_receive: Notify user if they have a new memo as soon as it's received
* - memo_mail: Notify user if they have a new memo by mail
* - autoop: User will be automatically opped in channels they enter and have access to
* - msg: Services messages will be sent as PRIVMSGs instead of NOTICEs, requires
* options:useprivmsg to be enabled as well
* - ns_keepmodes: Enables keepmodes, which retains user modes across sessions
*
* This directive is optional, if left blank, the options will default to ns_secure, memo_signon, and
* memo_receive. If you really want no defaults, use "none" by itself as the option.
*/
defaults = "ns_secure ns_private hide_email hide_mask memo_signon memo_receive autoop killprotect"
/*
* The minimum length of time between consecutive uses of NickServ's REGISTER command. This
* directive is optional, but recommended. If not set, this restriction will be disabled.
*/
regdelay = 30s
/*
* The length of time before a nick's registration expires.
*
* This directive is optional, but recommended. If not set, the default is 21 days.
*/
expire = 3650d
/*
* Prevents the use of the ACCESS and CERT (excluding their LIST subcommand), DROP, FORBID, SUSPEND,
* GETPASS and SET PASSWORD commands by services operators on other services operators.
*
* This directive is optional, but recommended.
*/
secureadmins = yes
/*
* If set, Services will set the channel modes a user has access to upon identifying, assuming
* they are not already set.
*
* This directive is optional.
*/
modeonid = yes
/*
* If set, Services will set these user modes on any user who identifies.
*
* This directive is optional.
*/
#modesonid = "+R"
/*
* If set, Services will not show netsplits in the last quit message field
* of NickServ's INFO command.
*/
hidenetsplitquit = no
/*
* If set, is the length of time NickServ's killquick and kill options wait before
* forcing users off of protected nicknames.
*/
killquick = 20s
kill = 60s
/*
* If set, forbids the registration of nicks that contain an existing
* nick with Services access. For example, if Tester is a Services Oper,
* you can't register NewTester or Tester123 unless you are an IRC
* Operator.
*
* NOTE: If you enable this, you will have to be logged in as an IRC
* operator in order to register a Services Root nick when setting up
* Anope for the first time.
*
* This directive is optional.
*/
restrictopernicks = yes
/*
* The username, and possibly hostname, used for fake users created when Services needs to
* hold a nickname.
*/
enforceruser = "enforcer"
enforcerhost = "ircservices.{{ external_domain }}"
/*
* The length of time Services hold nicknames.
*
* This directive is optional, but recommended. If not set it defaults to 1 minute.
*/
releasetimeout = 1m
/*
* When a user's nick is forcibly changed to enforce a "nick kill", their new nick will start
* with this value. The rest will be made up of 6 or 7 digits.
* Make sure this is a valid nick and Nicklen+7 is not longer than the allowed Nicklen on your ircd.
*
* This directive is optional. If not set it defaults to "Guest"
*/
guestnickprefix = "Guest"
/*
* If set, Services do not allow ownership of nick names, only ownership of accounts.
*/
nonicknameownership = no
/*
* The maximum length of passwords
*
* This directive is optional. If not set it defaults to 32.
*/
passlen = 32
}
/*
* Core NickServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Command group configuration for NickServ.
*
* Commands may optionally be placed into groups to make NickServ's HELP output easier to understand.
* Remove the following groups to use the old behavior of simply listing all NickServ commands from HELP.
*/
command_group
{
name = "nickserv/admin"
description = _("Services Operator commands")
}
/* Give it a help command. */
command { service = "NickServ"; name = "HELP"; command = "generic/help"; }
/*
* ns_access
*
* Provides the command nickserv/access.
*
* Used for configuring what hosts have access to your account.
*/
module
{
name = "ns_access"
/*
* The maximum number of entries allowed on a nickname's access list.
* If not set, the default is 32. This number cannot be set to 0.
*/
accessmax = 32
/*
* If set, Services will add the usermask of registering users to the access list of their
* newly created account. If not set, users will always have to identify to NickServ before
* being recognized, unless they manually add an address to the access list of their account.
* This directive is optional.
*/
addaccessonreg = yes
}
command { service = "NickServ"; name = "ACCESS"; command = "nickserv/access"; }
/*
* ns_ajoin
*
* Provides the command nickserv/ajoin.
*
* Used for configuring channels to join once you identify.
*/
module
{
name = "ns_ajoin"
/*
* The maximum number of channels a user can have on NickServ's AJOIN command.
*/
ajoinmax = 50
}
command { service = "NickServ"; name = "AJOIN"; command = "nickserv/ajoin"; }
/*
* ns_alist
*
* Provides the command nickserv/alist.
*
* Used for viewing what channels you have access to.
*/
module { name = "ns_alist" }
command { service = "NickServ"; name = "ALIST"; command = "nickserv/alist"; }
/*
* ns_cert
*
* Provides the command nickserv/cert.
*
* Used for configuring your SSL certificate list, which can be used to automatically identify you.
*
module
{
name = "ns_cert"
/*
* The maximum number of entries allowed on a nickname's certificate fingerprint list.
* The default is 5. This number cannot be set to 0.
*
max = 5
}
command { service = "NickServ"; name = "CERT"; command = "nickserv/cert"; }
*/
/*
* ns_drop
*
* Provides the command nickserv/drop.
*
* Used for unregistering names.
*/
module { name = "ns_drop" }
command { service = "NickServ"; name = "DROP"; command = "nickserv/drop"; }
/*
* ns_getemail
*
* Provides the command nickserv/getemail.
*
* Used for getting registered accounts by searching for emails.
*/
module { name = "ns_getemail" }
command { service = "NickServ"; name = "GETEMAIL"; command = "nickserv/getemail"; permission = "nickserv/getemail"; group = "nickserv/admin"; }
/*
* ns_getpass
*
* Provides the command nickserv/getpass.
*
* Used for getting users passwords.
*
* Requires no encryption is being used.
*/
#module { name = "ns_getpass" }
#command { service = "NickServ"; name = "GETPASS"; command = "nickserv/getpass"; permission = "nickserv/getpass"; }
/*
* ns_group
*
* Provides the commands nickserv/group, nickserv/glist, and nickserv/ungroup.
*
* Used for controlling nick groups.
*/
module
{
name = "ns_group"
/*
* The maximum number of nicks allowed in a group.
*
* This directive is optional, but recommended. If not set or set to 0, no limits will be applied.
*/
maxaliases = 16
/*
* If set, the NickServ GROUP command won't allow any group changes. This is recommended to
* prevent users from accidentally dropping their nicks, as it forces users to explicitly
* drop their nicks before adding it to another group.
*
* This directive is optional, but recommended.
*/
nogroupchange = yes
}
command { service = "NickServ"; name = "GLIST"; command = "nickserv/glist"; }
command { service = "NickServ"; name = "GROUP"; command = "nickserv/group"; }
command { service = "NickServ"; name = "UNGROUP"; command = "nickserv/ungroup"; }
/*
* ns_identify
*
* Provides the command nickserv/identify.
*
* Used for identifying to accounts.
*/
module { name = "ns_identify" }
command { service = "NickServ"; name = "ID"; command = "nickserv/identify"; hide = true; }
command { service = "NickServ"; name = "IDENTIFY"; command = "nickserv/identify"; }
/*
* ns_info
*
* Provides the commands:
* nickserv/info. - Used for gathering information about an account.
* nickserv/set/hide, nickserv/saset/hide - Used for configuring which options are publically shown in nickserv/info.
*
*/
module { name = "ns_info" }
command { service = "NickServ"; name = "INFO"; command = "nickserv/info"; }
command { service = "NickServ"; name = "SET HIDE"; command = "nickserv/set/hide"; }
command { service = "NickServ"; name = "SASET HIDE"; command = "nickserv/saset/hide"; permission = "nickserv/saset/hide"; }
/*
* ns_list
*
* Provides the commands:
* nickserv/list - Used for retrieving and searching the registered account list.
* nickserv/set/private, nickserv/saset/private - Used for configuring whether or a users account shows up in nickserv/list.
*
*/
module
{
name = "ns_list"
/*
* The maximum number of nicks to be returned for a NickServ LIST command.
*/
listmax = 50
}
command { service = "NickServ"; name = "LIST"; command = "nickserv/list"; }
command { service = "NickServ"; name = "SET PRIVATE"; command = "nickserv/set/private"; }
command { service = "NickServ"; name = "SASET PRIVATE"; command = "nickserv/saset/private"; permission = "nickserv/saset/private"; }
/*
* ns_logout
*
* Provides the command nickserv/logout.
*
* Used for logging out of your account.
*/
module { name = "ns_logout" }
command { service = "NickServ"; name = "LOGOUT"; command = "nickserv/logout"; }
/*
* ns_recover
*
* Provides the command nickserv/recover.
*
* Used for recovering your nick from services or another user.
*/
module
{
name = "ns_recover"
/*
* If set, Services will svsnick and svsjoin users who use the recover
* command on an identified user to the nick and channels of the recovered user.
*
* This directive is opional.
*/
restoreonrecover = yes
}
command { service = "NickServ"; name = "RECOVER"; command = "nickserv/recover"; }
# Uncomment below to emulate 1.8's behavior of ghost and release.
#command { service = "NickServ"; name = "GHOST"; command = "nickserv/recover"; }
#command { service = "NickServ"; name = "RELEASE"; command = "nickserv/recover"; }
/*
* ns_register
*
* Provides the commands nickserv/confirm, nickserv/register, and nickserv/resend.
*
* Used for registering accounts.
*/
module
{
name = "ns_register"
/*
* Registration confirmation setting. Set to "none" for no registration confirmation,
* "mail" for email confirmation, and "admin" to have services operators manually confirm
* every registration. Set to "disable" to completely disable all registrations.
*/
registration = "none"
/*
* The minimum length of time between consecutive uses of NickServ's RESEND command.
*
* This directive is optional, but recommended. If not set, this restriction will be disabled.
*/
resenddelay = 90s
/*
* Prevents users from registering their nick if they are not connected
* for at least the given number of seconds.
*
* This directive is optional.
*/
#nickregdelay = 30s
/*
* The length of time a user using an unconfirmed account has
* before the account will be released for general use again.
*/
#unconfirmedexpire = 1d
}
#command { service = "NickServ"; name = "CONFIRM"; command = "nickserv/confirm"; }
command { service = "NickServ"; name = "REGISTER"; command = "nickserv/register"; }
#command { service = "NickServ"; name = "RESEND"; command = "nickserv/resend"; }
/*
* ns_resetpass
*
* Provides the command nickserv/resetpass.
*
* Used for resetting passwords by emailing users a temporary one.
*/
/*module { name = "ns_resetpass" }
command { service = "NickServ"; name = "RESETPASS"; command = "nickserv/resetpass"; }
*/
/*
* ns_set
*
* Provides the commands:
* nickserv/set, nickserv/saset - Dummy help wrappers for the SET and SASET commands.
* nickserv/set/autoop, nickserv/saset/autoop - Determines whether or not modes are automatically set users when joining a channel.
* nickserv/set/display, nickserv/saset/display - Used for setting a users display name.
* nickserv/set/email, nickserv/saset/email - Used for setting a users email address.
* nickserv/set/keepmodes, nickserv/saset/keepmodes - Configure whether or not services should retain a user's modes across sessions.
* nickserv/set/kill, nickserv/saset/kill - Used for configuring nickname protection.
* nickserv/set/language, nickserv/saset/language - Used for configuring what language services use.
* nickserv/set/message, nickserv/saset/message - Used to configure how services send messages to you.
* nickserv/set/password, nickserv/saset/password - Used for changing a users password.
* nickserv/set/secure, nickserv/saset/secure - Used for configuring whether a user can identify by simply being recognized by nickserv/access.
* nickserv/saset/noexpire - Used for configuring noexpire, which prevents nicks from expiring.
*/
module
{
name = "ns_set"
/*
* Allow the use of the IMMED option in the NickServ SET KILL command.
*
* This directive is optional.
*/
#allowkillimmed = yes
}
command { service = "NickServ"; name = "SET"; command = "nickserv/set"; }
command { service = "NickServ"; name = "SASET"; command = "nickserv/saset"; permission = "nickserv/saset/"; group = "nickserv/admin"; }
command { service = "NickServ"; name = "SET AUTOOP"; command = "nickserv/set/autoop"; }
command { service = "NickServ"; name = "SASET AUTOOP"; command = "nickserv/saset/autoop"; permission = "nickserv/saset/autoop"; }
command { service = "NickServ"; name = "SET DISPLAY"; command = "nickserv/set/display"; }
command { service = "NickServ"; name = "SASET DISPLAY"; command = "nickserv/saset/display"; permission = "nickserv/saset/display"; }
command { service = "NickServ"; name = "SET EMAIL"; command = "nickserv/set/email"; }
command { service = "NickServ"; name = "SASET EMAIL"; command = "nickserv/saset/email"; permission = "nickserv/saset/email"; }
command { service = "NickServ"; name = "SET KEEPMODES"; command = "nickserv/set/keepmodes"; }
command { service = "NickServ"; name = "SASET KEEPMODES"; command = "nickserv/saset/keepmodes"; permission = "nickserv/saset/keepmodes"; }
command { service = "NickServ"; name = "SET KILL"; command = "nickserv/set/kill"; }
command { service = "NickServ"; name = "SASET KILL"; command = "nickserv/saset/kill"; permission = "nickserv/saset/kill"; }
command { service = "NickServ"; name = "SET LANGUAGE"; command = "nickserv/set/language"; }
command { service = "NickServ"; name = "SASET LANGUAGE"; command = "nickserv/saset/language"; permission = "nickserv/saset/language"; }
command { service = "NickServ"; name = "SET MESSAGE"; command = "nickserv/set/message"; }
command { service = "NickServ"; name = "SASET MESSAGE"; command = "nickserv/saset/message"; permission = "nickserv/saset/message"; }
/* command { service = "NickServ"; name = "SET PASSWORD"; command = "nickserv/set/password"; }
command { service = "NickServ"; name = "SASET PASSWORD"; command = "nickserv/saset/password"; permission = "nickserv/saset/password"; }
*/
command { service = "NickServ"; name = "SET SECURE"; command = "nickserv/set/secure"; }
command { service = "NickServ"; name = "SASET SECURE"; command = "nickserv/saset/secure"; permission = "nickserv/saset/secure"; }
command { service = "NickServ"; name = "SASET NOEXPIRE"; command = "nickserv/saset/noexpire"; permission = "nickserv/saset/noexpire"; }
/*
* ns_set_misc
*
* Provides the command nickserv/set/misc.
*
* Allows you to create arbitrary commands to set data, and have that data show up in nickserv/info.
* A field named misc_description may be given for use with help output.
*/
module { name = "ns_set_misc" }
command { service = "NickServ"; name = "SET URL"; command = "nickserv/set/misc"; misc_description = _("Associate a URL with your account"); }
command { service = "NickServ"; name = "SASET URL"; command = "nickserv/saset/misc"; misc_description = _("Associate a URL with this account"); permission = "nickserv/saset/url"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET ICQ"; command = "nickserv/set/misc"; misc_description = _("Associate an ICQ account with your account"); }
#command { service = "NickServ"; name = "SASET ICQ"; command = "nickserv/saset/misc"; misc_description = _("Associate an ICQ account with this account"); permission = "nickserv/saset/icq"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET TWITTER"; command = "nickserv/set/misc"; misc_description = _("Associate a Twitter account with your account"); }
#command { service = "NickServ"; name = "SASET TWITTER"; command = "nickserv/saset/misc"; misc_description = _("Associate a Twitter account with this account"); permission = "nickserv/saset/twitter"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET FACEBOOK"; command = "nickserv/set/misc"; misc_description = _("Associate a Facebook URL with your account"); }
#command { service = "NickServ"; name = "SASET FACEBOOK"; command = "nickserv/saset/misc"; misc_description = _("Associate a Facebook URL with this account"); permission = "nickserv/saset/facebook"; group = "nickserv/admin"; }
/*
* ns_status
*
* Provides the nickserv/status command.
*
* Used to determine if a user is recognized or identified by services.
*/
module { name = "ns_status" }
command { service = "NickServ"; name = "STATUS"; command = "nickserv/status"; }
/*
* ns_suspend
*
* Provides the commands nickserv/suspend and nickserv/unsuspend.
*
* Used to suspend and unsuspend nicknames. Suspended nicknames can not be used but their settings are preserved.
*/
module
{
name = "ns_suspend"
/*
* The length of time before a suspended nick becomes unsuspended.
*
* This directive is optional. If not set, the default is never.
*/
#suspendexpire = 90d
/*
* Settings to show to non-opers in NickServ's INFO output.
* Comment to completely disable showing any information about
* suspended nicknames to non-opers.
*/
show = "suspended, by, reason, on, expires"
}
command { service = "NickServ"; name = "SUSPEND"; command = "nickserv/suspend"; permission = "nickserv/suspend"; group = "nickserv/admin"; }
command { service = "NickServ"; name = "UNSUSPEND"; command = "nickserv/unsuspend"; permission = "nickserv/suspend"; group = "nickserv/admin"; }
/*
* ns_update
*
* Provides the command nickserv/update.
*
* Used to update your status on all channels, turn on your vHost, etc.
*/
module { name = "ns_update" }
command { service = "NickServ"; name = "UPDATE"; command = "nickserv/update"; }
/*
* Extra NickServ related modules.
*/
/*
* ns_maxemail
*
* Limits how many times the same email address may be used in Anope
* to register accounts.
*/
#module
{
name = "ns_maxemail"
/*
* The limit to how many registered nicks can use the same e-mail address. If set to 0 or left
* commented, there will be no limit enforced when registering new accounts or using
* /msg NickServ SET EMAIL.
*/
maxemails = 1
}

701
roles/IRC/templates/anope/operserv.conf.j2 Executable file
View File

@ -0,0 +1,701 @@
/*
* Example configuration file for OperServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the OperServ client.
* If you change this value, you probably want to change the client directive in the configuration for the operserv module too.
*/
nick = "OperServ"
/*
* The username of the OperServ client.
*/
user = "services"
/*
* The hostname of the OperServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the OperServ client.
*/
gecos = "Operator Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core OperServ module.
*
* Provides essential functionality for OperServ.
*/
module
{
name = "operserv"
/*
* The name of the client that should be OperServ.
*/
client = "OperServ"
/*
* These define the default expiration times for, respectively, AKILLs, CHANKILLs, SNLINEs,
* and SQLINEs.
*/
autokillexpiry = 30d
chankillexpiry = 30d
snlineexpiry = 30d
sqlineexpiry = 30d
/*
* If set, this option will make Services send an AKILL command immediately after it has been
* added with AKILL ADD. This eliminates the need for killing the user after the AKILL has
* been added.
*
* This directive is optional, but recommended.
*/
akillonadd = yes
/*
* If set, this option will make Services send an (SVS)KILL command immediately after SNLINE ADD.
* This eliminates the need for killing the user after the SNLINE has been added.
*
* This directive is optional.
*/
killonsnline = yes
/*
* If set, this option will make Services send an (SVS)KILL command immediately after SQLINE ADD.
* This eliminates the need for killing the user after the SQLINE has been added.
*
* This directive is optional.
*/
killonsqline = yes
/*
* Adds the nickname of the IRC Operator issuing an AKILL to the kill reason.
*
* This directive is optional.
*/
addakiller = yes
/*
* Adds akill IDs to akills. Akill IDs are given to users in their ban reason and can be used to easily view,
* modify, or remove an akill from the ID.
*/
akillids = yes
/*
* If set, only IRC Operators will be permitted to use OperServ, regardless of command access restrictions.
*
* This directive is optional, but recommended.
*/
opersonly = yes
}
/*
* Core OperServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "OperServ"; name = "HELP"; command = "generic/help"; }
/*
* os_akill
*
* Provides the command operserv/akill.
*
* Used to ban users from the network.
*/
module { name = "os_akill" }
command { service = "OperServ"; name = "AKILL"; command = "operserv/akill"; permission = "operserv/akill"; }
/*
* os_chankill
*
* Provides the command operserv/chankill.
*
* Used to akill users from an entire channel.
*/
module { name = "os_chankill" }
command { service = "OperServ"; name = "CHANKILL"; command = "operserv/chankill"; permission = "operserv/chankill"; }
/*
* os_session
*
* Provides the commands operserv/exception and operserv/session.
*
* This module enables session limiting. Session limiting prevents users from connecting more than a certain
* number of times from the same IP at the same time - thus preventing most types of cloning.
* Once a host reaches it's session limit, all clients attempting to connect from that host will
* be killed. Exceptions to the default session limit can be defined via the exception list.
*
* Used to manage the session limit exception list, and view currently active sessions.
*/
module
{
name = "os_session"
/*
* Default session limit per host. Once a host reaches its session limit, all clients attempting
* to connect from that host will be killed.
*
* This directive is required if os_session is loaded.
*/
defaultsessionlimit = 3
/*
* The maximum session limit that may be set for a host in an exception.
*
* This directive is required if os_session is loaded.
*/
maxsessionlimit = 100
/*
* Sets the default expiry time for session exceptions.
*
* This directive is required if os_session is loaded.
*/
exceptionexpiry = 1d
/*
* The message that will be NOTICE'd to a user just before they are removed from the network because
* their host's session limit has been exceeded. It may be used to give a slightly more descriptive
* reason for the impending kill as opposed to simply "Session limit exceeded".
*
* This directive is optional, if not set, nothing will be sent.
*/
sessionlimitexceeded = "The session limit for your IP %IP% has been exceeded."
/*
* Same as above, but should be used to provide a website address where users can find out more
* about session limits and how to go about applying for an exception.
*
* Note: This directive has been intentionally commented out in an effort to remind you to change
* the URL it contains. It is recommended that you supply an address/URL where people can get help
* regarding session limits.
*
* This directive is optional, if not set, nothing will be sent.
*/
#sessionlimitdetailsloc = "Please visit http://your.website.url/ for more information about session limits."
/*
* If set and is not 0, this directive tells Services to add an AKILL if the number of subsequent kills
* for the same host exceeds this value, preventing the network from experiencing KILL floods.
*
* This directive is optional.
*/
maxsessionkill = 15
/*
* Sets the expiry time for AKILLs set for hosts exceeding the maxsessionkill directive limit.
*
* This directive is optional, if not set, defaults to 30 minutes.
*/
sessionautokillexpiry = 30m
/*
* Sets the CIDR value used to determine which IP addresses represent the same person.
* By default this would limit 3 connections per IPv4 IP and 3 connections per IPv6 IP.
* If you are receiving IPv6 clone attacks it may be useful to set session_ipv6_cidr to
* 64 or 48.
*/
session_ipv4_cidr = 32
session_ipv6_cidr = 128
}
command { service = "OperServ"; name = "EXCEPTION"; command = "operserv/exception"; permission = "operserv/exception"; }
command { service = "OperServ"; name = "SESSION"; command = "operserv/session"; permission = "operserv/session"; }
/*
* os_defcon
*
* Provides the command operserv/defcon.
*
* Allows you to set services in defcon mode, which can be used to restrict services access
* during bot attacks.
*/
module
{
name = "os_defcon"
/*
* Default DefCon level (1-5) to use when starting Services up. Level 5 constitutes normal operation
* while level 1 constitutes the most restrictive operation. If this setting is left out or set to
* 0, DefCon will be disabled and the rest of this block will be ignored.
*/
defaultlevel = 5
/*
* The following 4 directives define what operations will take place when DefCon is set to levels
* 1 through 4. Each level is a list that must be separated by spaces.
*
* The following operations can be defined at each level:
* - nonewchannels: Disables registering new channels
* - nonewnicks: Disables registering new nicks
* - nomlockchanges: Disables changing MLOCK on registered channels
* - forcechanmodes: Forces all channels to have the modes given in the later chanmodes directive
* - reducedsessions: Reduces the session limit to the value given in the later sessionlimit directive
* - nonewclients: KILL any new clients trying to connect
* - operonly: Services will ignore all non-IRCops
* - silentoperonly: Services will silently ignore all non-IRCops
* - akillnewclients: AKILL any new clients trying to connect
* - nonewmemos: No new memos will be sent to block MemoServ attacks
*/
level4 = "nonewchannels nonewnicks nomlockchanges reducedsessions"
level3 = "nonewchannels nonewnicks nomlockchanges forcechanmodes reducedsessions"
level2 = "nonewchannels nonewnicks nomlockchanges forcechanmodes reducedsessions silentoperonly"
level1 = "nonewchannels nonewnicks nomlockchanges forcechanmodes reducedsessions silentoperonly akillnewclients"
/*
* New session limit to use when a DefCon level is using "reduced" session limiting.
*/
sessionlimit = 2
/*
* Length of time to add an AKILL for when DefCon is preventing new clients from connecting to the
* network.
*/
akillexpire = 5m
/*
* The channel modes to set on all channels when the DefCon channel mode system is in use.
*
* Note 1: Choose these modes carefully, because when DefCon switches to a level which does NOT have
* the mode setting selected, Services will set the reverse on all channels, e.g. if this setting
* is +RN when DefCon is used, all channels will be set to +RN, when DefCon is removed, all
* channels will be set to -RN. You don't want to set this to +k for example, because when DefCon
* is removed, all channels are set -k, removing the key from previously keyed channels.
*
* Note 2: MLOCKed modes will not be lost.
*/
chanmodes = "+Ri"
/*
* This value can be used to automatically return the network to DefCon level 5 after the specified
* time period, just in case any IRC Operator forgets to remove a DefCon setting.
*
* This directive is optional.
*/
timeout = 15m
/*
* If set, Services will send a global message on DefCon level changes.
*
* This directive is optional.
*/
globalondefcon = yes
/*
* If set, Services will send the global message defined in the message directive on DefCon level
* changes.
*
* This directive is optional.
*/
#globalondefconmore = yes
/*
* Defines the message that will be sent on DefCon level changes when globalondefconmore is set.
*
* This directive is required only when globalondefconmore is set.
*/
#message = "Put your message to send your users here. Don't forget to uncomment globalondefconmore"
/*
* Defines the message that will be sent when DefCon is returned to level 5. This directive is optional,
* and will also override globalondefcon and globalondefconmore when set.
*/
offmessage = "Services are now back to normal; sorry for any inconvenience"
/*
* Defines the reason to use when clients are KILLed or AKILLed from the network while the proper
* DefCon operation is in effect.
*/
akillreason = "This network is currently not accepting connections. We are working on diagnostics, so please try again later."
}
command { service = "OperServ"; name = "DEFCON"; command = "operserv/defcon"; }
/*
* os_dns
*
* Provides the command operserv/dns.
*
* This module requires that m_dns is loaded.
*
* This module allows controlling a DNS zone. This is useful for
* controlling what servers users are placed on for load balancing,
* and to automatically remove split servers.
*
* To use this module you must set a nameserver record for services
* so that DNS queries go to services.
*
* Alternatively, you may use a slave DNS server to hide service's IP,
* provide query caching, and provide better fault tolerance.
*
* To do this using BIND, configure similar to:
*
* options { max-refresh-time 60; };
* zone "irc.example.com" IN {
* type slave;
* masters { 127.0.0.1 port 5353; };
* };
*
* Where 127.0.0.1:5353 is the IP and port services are listening on.
* We recommend you externally firewall both UDP and TCP to the port
* Anope is listening on.
*
* Finally set a NS record for irc.example.com. to BIND or services.
*/
#module
{
name = "os_dns"
/* TTL for records. This should be very low if your records change often. */
ttl = 1m
/* If a server drops this many users the server is automatically removed from the DNS zone.
* This directive is optional.
*/
user_drop_mark = 50
/* The time used for user_drop_mark. */
user_drop_time = 1m
/* When a server is removed from the zone for dropping users, it is readded after this time.
* This directive is optional.
*/
user_drop_readd_time = 5m
/* If set, when a server splits, it is automatically removed from the zone. */
remove_split_servers = yes
/* If set, when a server connects to the network, it will be automatically added to
* the zone if it is a known server.
*/
readd_connected_servers = no
}
#command { service = "OperServ"; name = "DNS"; command = "operserv/dns"; permission = "operserv/dns"; }
/*
* os_config
*
* Provides the command operserv/config.
*
* Used to view and set configuration options while services are running.
*/
module { name = "os_config" }
command { service = "OperServ"; name = "CONFIG"; command = "operserv/config"; permission = "operserv/config"; }
/*
* os_forbid
*
* Provides the command operserv/forbid.
*
* Used to forbid specific nicks, channels, emails, etc. from being used.
*/
module { name = "os_forbid" }
command { service = "OperServ"; name = "FORBID"; command = "operserv/forbid"; permission = "operserv/forbid"; }
/*
* os_ignore
*
* Provides the command operserv/ignore.
*
* Used to make Services ignore users.
*/
module { name = "os_ignore" }
command { service = "OperServ"; name = "IGNORE"; command = "operserv/ignore"; permission = "operserv/ignore"; }
/*
* os_info
*
* Provides the command operserv/info.
*
* Used to add oper only notes to users and channels.
*/
module { name = "os_info" }
command { service = "OperServ"; name = "INFO"; command = "operserv/info"; permission = "operserv/info"; }
/*
* os_jupe
*
* Provides the command operserv/jupe.
*
* Used to disconnect servers from the network and prevent them from relinking.
*/
module { name = "os_jupe" }
command { service = "OperServ"; name = "JUPE"; command = "operserv/jupe"; permission = "operserv/jupe"; }
/*
* os_kick
*
* Provides the command operserv/kick.
*
* Used to kick users from channels.
*/
module { name = "os_kick" }
command { service = "OperServ"; name = "KICK"; command = "operserv/kick"; permission = "operserv/kick"; }
/*
* os_kill
*
* Provides the command operserv/kill.
*
* Used to forcibly disconnect users from the network.
*/
module { name = "os_kill" }
command { service = "OperServ"; name = "KILL"; command = "operserv/kill"; permission = "operserv/kill"; }
/*
* os_list
*
* Provides the commands operserv/chanlist and operserv/userlist.
*
* Used to list and search the channels and users currently on the network.
*/
module { name = "os_list" }
command { service = "OperServ"; name = "CHANLIST"; command = "operserv/chanlist"; permission = "operserv/chanlist"; }
command { service = "OperServ"; name = "USERLIST"; command = "operserv/userlist"; permission = "operserv/userlist"; }
/*
* os_login
*
* Provides the commands operserv/login and operserv/logout.
*
* Used to login to OperServ, only required if your oper block requires this.
*/
module { name = "os_login" }
command { service = "OperServ"; name = "LOGIN"; command = "operserv/login"; }
command { service = "OperServ"; name = "LOGOUT"; command = "operserv/logout"; }
/*
* os_logsearch
*
* Provides the command operserv/logsearch.
*
* Used to search services log files.
*/
module
{
name = "os_logsearch"
/* The log file name to search. There should be a log{} block configured to log
* to a file of this name.
*/
logname = "services.log"
}
command { service = "OperServ"; name = "LOGSEARCH"; command = "operserv/logsearch"; permission = "operserv/logsearch"; }
/*
* os_mode
*
* Provides the commands operserv/mode and operserv/umode.
*
* Used to change user and channel modes.
*/
module { name = "os_mode" }
command { service = "OperServ"; name = "UMODE"; command = "operserv/umode"; permission = "operserv/umode"; }
command { service = "OperServ"; name = "MODE"; command = "operserv/mode"; permission = "operserv/mode"; }
/*
* os_modinfo
*
* Provides the commands operserv/modinfo and operserv/modlist.
*
* Used to show information about loaded modules.
*/
module { name = "os_modinfo" }
command { service = "OperServ"; name = "MODINFO"; command = "operserv/modinfo"; permission = "operserv/modinfo"; }
command { service = "OperServ"; name = "MODLIST"; command = "operserv/modlist"; permission = "operserv/modinfo"; }
/*
* os_module
*
* Provides the commands operserv/modload, operserv/modreload, and operserv/modunload.
*
* Used to load, reload, and unload modules.
*/
module { name = "os_module" }
command { service = "OperServ"; name = "MODLOAD"; command = "operserv/modload"; permission = "operserv/modload"; }
command { service = "OperServ"; name = "MODRELOAD"; command = "operserv/modreload"; permission = "operserv/modload"; }
command { service = "OperServ"; name = "MODUNLOAD"; command = "operserv/modunload"; permission = "operserv/modload"; }
/*
* os_news
*
* Provides the commands operserv/logonnews, operserv/opernews, and operserv/randomnews.
*
* Used to configure news notices shown to users when they connect, and opers when they oper.
*/
module
{
name = "os_news"
/*
* The service bot names to use to send news to users on connection
* and to opers when they oper.
*/
announcer = "Global"
oper_announcer = "OperServ"
/*
* The number of LOGON/OPER news items to display when a user logs on.
*
* This directive is optional, if not set it will default to 3.
*/
#newscount = 3
}
command { service = "OperServ"; name = "LOGONNEWS"; command = "operserv/logonnews"; permission = "operserv/news"; }
command { service = "OperServ"; name = "OPERNEWS"; command = "operserv/opernews"; permission = "operserv/news"; }
command { service = "OperServ"; name = "RANDOMNEWS"; command = "operserv/randomnews"; permission = "operserv/news"; }
/*
* os_noop
*
* Provides the command operserv/noop.
*
* Used to NOOP a server, which prevents users from opering on that server.
*/
module { name = "os_noop" }
command { service = "OperServ"; name = "NOOP"; command = "operserv/noop"; permission = "operserv/noop"; }
/*
* os_oline
*
* Provides the command operserv/oline.
*
* Used to set oper flags on users, and is specific to UnrealIRCd.
* See /helpop ?svso on your IRCd for more information.
*
* module { name = "os_oline" }
* command { service = "OperServ"; name = "OLINE"; command = "operserv/oline"; permission = "operserv/oline"; }
*/
/*
* os_oper
*
* Provides the command operserv/oper.
*
* Used to configure opers and show information about opertypes.
*/
module { name = "os_oper" }
command { service = "OperServ"; name = "OPER"; command = "operserv/oper"; permission = "operserv/oper"; }
/*
* os_reload
*
* Provides the command operserv/reload.
*
* Used to reload the services.conf configuration file.
*/
module { name = "os_reload" }
command { service = "OperServ"; name = "RELOAD"; command = "operserv/reload"; permission = "operserv/reload"; }
/*
* os_set
*
* Provides the command operserv/set.
*
* Used to set various settings such as superadmin, debug mode, etc.
*/
module
{
name = "os_set"
/*
* If set, Services Admins will be able to use SUPERADMIN [ON|OFF] which will temporarily grant
* them extra privileges such as being a founder on ALL channels.
*
* This directive is optional.
*/
superadmin = yes
}
command { service = "OperServ"; name = "SET"; command = "operserv/set"; permission = "operserv/set"; }
/*
* os_shutdown
*
* Provides the commands operserv/quit, operserv/restart, and operserv/shutdown.
*
* Used to quit, restart, or shutdown services.
*/
module { name = "os_shutdown" }
command { service = "OperServ"; name = "QUIT"; command = "operserv/quit"; permission = "operserv/quit"; }
command { service = "OperServ"; name = "RESTART"; command = "operserv/restart"; permission = "operserv/restart"; }
command { service = "OperServ"; name = "SHUTDOWN"; command = "operserv/shutdown"; permission = "operserv/shutdown"; }
/*
* os_stats
*
* Provides the operserv/stats command.
*
* Used to show statistics about services.
*/
module { name = "os_stats" }
command { service = "OperServ"; name = "STATS"; command = "operserv/stats"; permission = "operserv/stats"; }
/*
* os_svs
*
* Provides the commands operserv/svsnick, operserv/svsjoin, and operserv/svspart.
*
* Used to force users to change nicks, join and part channels.
*/
module { name = "os_svs" }
command { service = "OperServ"; name = "SVSNICK"; command = "operserv/svsnick"; permission = "operserv/svs"; }
command { service = "OperServ"; name = "SVSJOIN"; command = "operserv/svsjoin"; permission = "operserv/svs"; }
command { service = "OperServ"; name = "SVSPART"; command = "operserv/svspart"; permission = "operserv/svs"; }
/*
* os_sxline
*
* Provides the operserv/snline and operserv/sqline commands.
*
* Used to ban real names, nick names, and possibly channels.
*/
module { name = "os_sxline" }
command { service = "OperServ"; name = "SNLINE"; command = "operserv/snline"; permission = "operserv/snline"; }
command { service = "OperServ"; name = "SQLINE"; command = "operserv/sqline"; permission = "operserv/sqline"; }
/*
* os_update
*
* Provides the operserv/update command.
*
* Use to immediately update the databases.
*/
module { name = "os_update" }
command { service = "OperServ"; name = "UPDATE"; command = "operserv/update"; permission = "operserv/update"; }

Some files were not shown because too many files have changed in this diff Show More